Google service account: Delegate Domain-Wide Delegation of Authority to impersonate only ONE user

1
votes

We need to access Google Calendar API with server application to create the events and invite the attendees. Google recommends to use service account for the applications.

The main problem here with the attendees inviting to the event, because the service account can't do it without the Domain-Wide Delegation of Authority (see img).

Organization do not want to give the service account an access to ALL user's data. So, I'm trying to find out can we delegate the Domain-Wide Delegation of Authority to the ONE user of the domain ? (restrict access to use another user's data).

p.s. it's only about google calendar api.

Many thanks for the help.

screenshot from the google doc

1
google-calendar-apigoogle-workspaceservice-accounts
I’m voting to close this question because its about how to set up domain wide delegation in Gsuite and there for is not programming related. This question may be better suited for webapps.stackexchange.comDaImTo
Hi @DaImTo, this is regarding the programming because I need to know how to do it with the code. As I mentioned this will be used by the server application. Is it make sense ?Inna
You cant set up domain wide delegation with code. Your Gsuite admin needs to do it for you. We cant do that here. As its in the settings on gsuite account. Code wise its just normal service account authentication, with a delegation to a user if you need one. TBH what you are asking is probably not possible. delegation doesn't work that way delegating access to the service account makes the service account behave like the user of course they would have access to all the data the user has.DaImTo
As mentioned by @DaImTo, you cannot enable domain-wide delegation for just one user. Domain-wide delegation gives access to all users in the domain, there's no way around it. Of course, in your code you can set which user you want to impersonate. If you just want a sample code of how to impersonate a regular user, take a look at the existing answer.Iamblichus

1 Answers

1
votes

I am still not sure that this question is programming related, however if you just want to see "in code" how to delegate to a user here is an example using C# where the gsuiteUser is added to the code where the ServiceAccountCredential is initialized.

When run this code will run as if the code is being run by the gsuiteuser. there for any access that that user has on the gsuite domain the service account will have. There is no way to limit that access anymore then that. Service accounts are dummy users who can be preauthorized to have access of a user.

string ApplicationName = "Calendar API .NET Quickstart";
            const string serviceAccount = "[email protected]";

            var certificate = new X509Certificate2("cred.p12", "notasecret", X509KeyStorageFlags.Exportable);

            var gsuiteUser = "[email protected]";

            var serviceAccountCredentialInitializer = new ServiceAccountCredential.Initializer(serviceAccount)
            {
                User = gsuiteUser,   // Service account will run as this user
                Scopes = new[] { CalendarService.Scope.read }

            }.FromCertificate(certificate);

            var credential = new ServiceAccountCredential(serviceAccountCredentialInitializer);
            if (!credential.RequestAccessTokenAsync(CancellationToken.None).Result)
                throw new InvalidOperationException("Access token failed.");

            var service = new CalendarService(new BaseClientService.Initializer()
            {
                HttpClientInitializer = credential,
                ApplicationName = ApplicationName,
            });