| Follow @lancinimarco

Reading time ~3 minutes

Domain-Wide Delegation of Authority in GSuite

This is going to be a short blog, part of the “Continuous Visibility into Ephemeral Cloud Environments” series, detailing operational notes of the process to follow in order to setup Domain-Wide Delegation of Authority in GSuite, so that (security) tools within GCP can interface with the GSuite APIs.


The Need for Domain-Wide Delegation of Authority

On the Google’s Developers Blog, “G Suite Domain-Wide Delegation of Authority” is defined as follows:

In enterprise applications you may want to programmatically access a user’s data without any manual authorization on their part. In G Suite domains, the domain administrator can grant third-party applications with domain-wide access to its users’ data — this is known as domain-wide delegation of authority. To delegate authority this way, domain administrators can use service accounts with OAuth 2.0.

As an example, tools like RBACSync and Cartography have capabilities for programmatically interfacing with GSuite and retrieve both User and Group data.

For this to work though, they require a service account with Domain-Wide Delegation. The goal is to end up with two accounts (we will use RBACSync for this example):

  1. One “robot” GSuite account (rbacsync-bot) that acts as a “delegator” to a service account.
  2. One Service Account (rbacsync-sa) in a GCP Project that will act as a “delegate”.

The credentials of the service account can then be provided to the security tools (in this case RBACSync) to allow them to read the GSuite Directory API.


Process

The ones below are operational notes I created (and tested working with RBACSync) to setup Domain-Wide Delegation in GSuite, mainly coming from merging and complementing 3 different sources (1, 2, 3).

NOTE: Currently this process can only be performed manually since Terraform doesn’t support domain-wide delegation yet, and there is no relevant gcloud command for it.

1️⃣️ Create an Account in GSuite

  1. Create a new GSuite account, named rbacsync-bot (full name: [email protected]).
  2. Create a custom role which grants read only access to the API on Google Groups:
    • Name: rbacsync-api
    • Privileges:
      1. Admin API Privileges > Organisational Units > Read
      2. Admin API Privileges > Users > Read
      3. Admin API Privileges > Groups > Read
  3. Attach the rbacsync-api role to rbacsync-bot.

2️⃣️ Create a Service Account in GCP

  1. If not already done, enable Google API access in the GCP Project that will act as a delegate (instructions, link to console).
  2. Create a custom IAM role (temporarily) needed to perform domain delegation (“IAM > Roles”):
    • Name: RBACSync-Domain-Delegation
    • Permissions:
      1. clientauthconfig.clients.create
      2. clientauthconfig.clients.createSecret
      3. clientauthconfig.clients.get
      4. clientauthconfig.clients.list
      5. clientauthconfig.clients.update
  3. Temporarily attach the new RBACSync-Domain-Delegation role to the IAM user which will perform the setup.
  4. Add [email protected] to the IAM users of the GCP Project that will act as a delegate.
  5. Attach the following roles to the [email protected] user created in the previous step:
    • Service Account Token Creator
    • Service Account User
  6. Finally, create the rbacsync-sa service account in the GCP Project that will act as a delegate:
    • Service account name: rbacsync-sa
    • Service account ID: rbacsync-sa
    • Service account permissions: (skip)
    • Grant users access:
    • Edit the service account, enable G Suite Domain-wide Delegation and note the Client ID
  7. From GSuite, grant scopes to the Client ID:
    • Go to admin.google.com
    • Go to “Security > Advanced settings > Manage API client access
      • Client name: client ID obtained from the service account creation steps above.
      • API Scopes (depending on your use case):
        1. https://www.googleapis.com/auth/admin.directory.group.member.readonly
        2. https://www.googleapis.com/auth/admin.directory.group.readonly
  8. Back to GCP, generate the service account credentials and save the generated JSON file somewhere safe.
  9. Remove the temporary RBACSync-Domain-Delegation role from the GCP IAM user used to perform the setup.

The JSON file containing the credentials for the service account created above can then be provided to RBACSync to allow it to interface with the GSuite APIs.

Marco Lancini

Marco Lancini
Hi, I'm Marco Lancini. I'm a Security Engineer, mainly interested in cloud native technologies and security...  [read more]