I am going through Google's OAuth 2.0 for Server to Server Applications Guide and trying to use Service Account's credential to call Google APIs.
So I've a data object which contains credentials parsed from JSON Key File.
def get_bigquery_service():
# ... Read and parse JSON Key file
scope = ["https://www.googleapis.com/auth/bigquery"]
credentials = SignedJwtAssertionCredentials(
data['client_email'],
data['private_key'],
scope=scope)
http = httplib2.Http()
http = credentials.authorize(http)
return build("bigquery", "v2", http=http)
Then I will have access to BigQuery API, because I claimed it in scope.
My concern is that I can't see any option that allows me to actually constraint that Service Account to be able to use BigQuery API in Google Developer Console. Let's say if the credential file was accidentally leaked to others, they can essentially do anything to any of my services, just by declaring things they want to access in scope.
Is there any way we can constraint the permission that Service Accounts have?
