This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Google Service Account can't be added to sheet in shared drive

Posted on 04-12-2023 07:03 PM
seelms
New Member
Reply posted on --/--/---- --:-- AM

I am trying to share a google service account email address in a work space that doesn't allow sharing items outside the workspace domain. Admins added the iam.gserviceaccount.com domain to whitelisted domains but there doesn't appear to be settings in the admin console to allow shared drive items to be shared externally with this whitelisted domain.

0 3 3,814
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
Marcin_Milewski
Staff
Reply posted on --/--/---- --:-- AM

Hi @seelms I did a test on my side. I have restricted sharing from my test organization, and whitelisted 'iam.gserviceaccount.com' after this action I've got an alert in the admin console 

Marcin_Milewski_0-1681477224347.png

Unfortunately, according to the HC article, a service account isn't supported as a trusted domain. So you would rather need to use API-specific authorization and the scopes as this article recommends

Hope this helps,
Best,
Marcin

 

0 Likes

Posted on --/--/---- --:-- AM
bernieplug
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Bad security decisions here by Google -- it's driving people to give service accounts domain-wide delegation access to all files, which is dangerous.  Service accounts set up in an organization's google cloud should be able to have files in drive *selectively* shared with them, even for domains that have turned off external sharing. 

The best solution we've found is to allow a few trusted people to share drive files externally, put them in a sub-organization where external sharing can be on, and assign ownership of all drive files which need to be accessed by service accounts to those trusted team members. 

Posted on --/--/---- --:-- AM
Raj_M
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

@Marcin_Milewski   Recently I have encountered a similar issue, unfortunately I do not have access to my client's Workspace console, but what if we try by whitelisting the exact domain for my GCP project ?

example: If I have a service account named app1@<my-project-app1>.iam.gserviceaccount.com , then can we simply whitelist <my-project-app1>.iam.gserviceaccount.com domain instead of iam.gserviceaccount.com ? will it reduce the risk scope?

0 Likes
Top Labels in this Space