Reading time ~3 minutes
Domain-Wide Delegation of Authority in GSuite
- The Need for Domain-Wide Delegation of Authority
This is going to be a short blog, part of the “Continuous Visibility into Ephemeral Cloud Environments” series, detailing operational notes of the process to follow in order to setup Domain-Wide Delegation of Authority in GSuite, so that (security) tools within GCP can interface with the GSuite APIs.
The Need for Domain-Wide Delegation of Authority
On the Google’s Developers Blog, “G Suite Domain-Wide Delegation of Authority” is defined as follows:
In enterprise applications you may want to programmatically access a user’s data without any manual authorization on their part. In G Suite domains, the domain administrator can grant third-party applications with domain-wide access to its users’ data — this is known as domain-wide delegation of authority. To delegate authority this way, domain administrators can use service accounts with OAuth 2.0.
For this to work though, they require a service account with Domain-Wide Delegation.
The goal is to end up with two accounts (we wil use
RBACSync for this example):
- One “robot” GSuite account (
rbacsync-bot) that acts as a “delegator” to a service account.
- One Service Account (
rbacsync-sa) in a GCP Project that will act as a “delegate”.
The credentials of the service account can then be provided to
the security tools (in this case
to allow them to read the GSuite Directory API.
The ones below are operational notes I created (and tested working with
to setup Domain-Wide Delegation in GSuite,
mainly coming from merging and complementing 3 different sources
1️⃣️ Create an Account in GSuite
- Create a new GSuite account, named
- Create a custom role which grants read only access to the API on Google Groups:
Admin API Privileges > Organisational Units > Read
Admin API Privileges > Users > Read
Admin API Privileges > Groups > Read
- Attach the
2️⃣️ Create a Service Account in GCP
- If not already done, enable Google API access in the GCP Project that will act as a delegate (instructions, link to console).
- Create a custom IAM role (temporarily) needed to perform domain delegation (“IAM > Roles”):
- Temporarily attach the new
RBACSync-Domain-Delegationrole to the IAM user which will perform the setup.
[email protected]to the IAM users of the GCP Project that will act as a delegate.
- Attach the following roles to the
[email protected]user created in the previous step:
Service Account Token Creator
Service Account User
- Finally, create the
rbacsync-saservice account in the GCP Project that will act as a delegate:
- From GSuite, grant scopes to the Client ID:
- Go to
- Go to “Security > Advanced settings > Manage API client access”
- Client name: client ID obtained from the service account creation steps above.
- API Scopes (depending on your use case):
- Go to
- Back to GCP, generate the service account credentials and save the generated JSON file somewhere safe.
- Remove the temporary
RBACSync-Domain-Delegationrole from the GCP IAM user used to perform the setup.
The JSON file containing the credentials for the service account created above can then be provided to
RBACSync to allow it to interface with the GSuite APIs.