Reading time ~3 minutes

Domain-Wide Delegation of Authority in GSuite

The Need for Domain-Wide Delegation of Authority
Process
- 1️⃣️ Create an Account in GSuite
- 2️⃣️ Create a Service Account in GCP

This is going to be a short blog, part of the “Continuous Visibility into Ephemeral Cloud Environments” series, detailing operational notes of the process to follow in order to setup Domain-Wide Delegation of Authority in GSuite, so that (security) tools within GCP can interface with the GSuite APIs.

The Need for Domain-Wide Delegation of Authority

On the Google’s Developers Blog, “G Suite Domain-Wide Delegation of Authority” is defined as follows:

In enterprise applications you may want to programmatically access a user’s data without any manual authorization on their part. In G Suite domains, the domain administrator can grant third-party applications with domain-wide access to its users’ data — this is known as domain-wide delegation of authority. To delegate authority this way, domain administrators can use service accounts with OAuth 2.0.

As an example, tools like RBACSync and Cartography have capabilities for programmatically interfacing with GSuite and retrieve both User and Group data.

For this to work though, they require a service account with Domain-Wide Delegation. The goal is to end up with two accounts (we will use RBACSync for this example):

One “robot” GSuite account (rbacsync-bot) that acts as a “delegator” to a service account.
One Service Account (rbacsync-sa) in a GCP Project that will act as a “delegate”.

The credentials of the service account can then be provided to the security tools (in this case RBACSync) to allow them to read the GSuite Directory API.

Process

The ones below are operational notes I created (and tested working with RBACSync) to setup Domain-Wide Delegation in GSuite, mainly coming from merging and complementing a couple of different sources (1, 2).

NOTE: Currently this process can only be performed manually since Terraform doesn’t support domain-wide delegation yet, and there is no relevant gcloud command for it.

1️⃣️ Create an Account in GSuite

Create a new GSuite account, named rbacsync-bot (full name: [email protected]).
Create a custom role which grants read only access to the API on Google Groups:
- Name: rbacsync-api
- Privileges:
  1. Admin API Privileges > Organisational Units > Read
  2. Admin API Privileges > Users > Read
  3. Admin API Privileges > Groups > Read
Attach the rbacsync-api role to rbacsync-bot.

2️⃣️ Create a Service Account in GCP

If not already done, enable Google API access in the GCP Project that will act as a delegate (instructions, link to console).
Create a custom IAM role (temporarily) needed to perform domain delegation (“IAM > Roles”):
- Name: RBACSync-Domain-Delegation
- Permissions:
  1. clientauthconfig.clients.create
  2. clientauthconfig.clients.createSecret
  3. clientauthconfig.clients.get
  4. clientauthconfig.clients.list
  5. clientauthconfig.clients.update
Temporarily attach the new RBACSync-Domain-Delegation role to the IAM user which will perform the setup.
Add [email protected] to the IAM users of the GCP Project that will act as a delegate.
Attach the following roles to the [email protected] user created in the previous step:
- Service Account Token Creator
- Service Account User
Finally, create the rbacsync-sa service account in the GCP Project that will act as a delegate:
- Service account name: rbacsync-sa
- Service account ID: rbacsync-sa
- Service account permissions: (skip)
- Grant users access:
  - Service account user role: [email protected]
  - Service account admin role: [email protected]
- Edit the service account, enable G Suite Domain-wide Delegation and note the Client ID
From GSuite, grant scopes to the Client ID:
- Go to admin.google.com
- Go to “Security > Advanced settings > Manage API client access”
  - Client name: client ID obtained from the service account creation steps above.
  - API Scopes (depending on your use case):
    1. https://www.googleapis.com/auth/admin.directory.group.member.readonly
    2. https://www.googleapis.com/auth/admin.directory.group.readonly
Back to GCP, generate the service account credentials and save the generated JSON file somewhere safe.
Remove the temporary RBACSync-Domain-Delegation role from the GCP IAM user used to perform the setup.

The JSON file containing the credentials for the service account created above can then be provided to RBACSync to allow it to interface with the GSuite APIs.

About

Domain-Wide Delegation of Authority in GSuite

The Need for Domain-Wide Delegation of Authority

Process

1️⃣️ Create an Account in GSuite

2️⃣️ Create a Service Account in GCP

Subscribe to CloudSecList

Marco Lancini

Introducing CloudSecDocs.com

Tracking Moving Clouds: How to continuously track cloud assets with Cartography

About

CloudSec* Projects

Collections

Continuous Visibility into Ephemeral Cloud Environments

Cloud Security Strategies

The CloudSec Engineer - Previews

Kubernetes Primer for Security Professionals

Must Read

What to look for when reviewing a company's infrastructure

On Establishing a Cloud Security Program

Security Logging in Cloud Environments - GCP

Security Logging in Cloud Environments - AWS

Tracking Moving Clouds: How to continuously track cloud assets with Cartography

The Current State of Kubernetes Threat Modelling

Mapping Moving Clouds: How to stay on top of your ephemeral environments with Cartography

So I Heard You Want to Learn Kubernetes

Recent Articles

Migrating Terraform state from Terraform Cloud to S3

Zero Trust Access to Private Webapps on AWS ECS with Cloudflare Tunnel

Serverless Emails with Cloudflare Email Routing

Cyber Security Career Pathways

Serverless Ad Blocking with Cloudflare Gateway

Tags