-
Notifications
You must be signed in to change notification settings - Fork 473
Using GAM7 with a delegated admin service account
Thanks to Jay Lee for the original version of this document.
Delegated admin service accounts (DASA) are regular GCP service accounts that are granted a Workspace delegated admin role. Service accounts have an email address like gam-project-xuw-sp1-c4b@gam-project-xuw-sp1-c4b.iam.gserviceaccount.com
and are not part of a Workspace or Cloud Identity domain even if they are owned by a project in the domain’s organization. Service accounts cannot login to Google web services interactively, they are only able to call Google APIs.
GAM7 version 6.50.00 or higher is required.
- DASA accounts don’t require a Workspace or Cloud Identity license.
- DASA accounts don’t have a password login that can be phished or captured, they use RSA private keys to sign authentication requests which makes them very secure. You should however rotate the key on a regular basis and keep it safe and secured!
- When a DASA account makes admin changes, the Admin audit log properly shows that the DASA account made the change. This is not the case when using domain-wide delegation.
- DASA accounts are granted Google admin roles and permissions so that they are only able to perform the actions they are given permissions to perform. This is a simpler model than using both API scopes and admin roles to determine if GAM7 can perform an action.
- When using a DASA account, GAM7 does not need to worry about OAuth, scopes, token refresh, consent screens, etc. DASA accounts can simply generate a JWT token signed by their private key and use the JWT as the authorization header on Google API calls. This method is both faster and less complex than regular OAuth.
- DASA accounts can only be delegated admins. If a task requires super admin rights to perform, DASA accounts won’t be able to do it. Not all Google Admin APIs work with DASA right now. For example, Google Vault API calls will fail with a DASA account.
- DASA is a delegated admin and can make Workspace / Cloud Identity admin API calls, it does not replace domain-wide delegation (DwD) when using GAM7 commands that interact with Gmail, Drive and Calendar user data.
- GAM7 support for DASA is still experimental and some things may fail. Please report your findings to the GAM group.
-
Upgrade to at least GAM7 6.50.00. Best practice is to always use the latest version of GAM7.
-
Follow the steps in
gam create project
up to the point where you are presented with a URL to the Cloud console to create a Client ID and secret. You don’t need to enter anything those, just press CTRL+C to quit the project creation. -
GAM will have created a Google Cloud project for you and a service account. The service account is stored in oauth2service.json. If you look at the contents of this file you’ll see a couple important things:
- client_email is the email address of your service account. Copy this address, we’ll use it to grant the service account delegated admin rights in your Workspace domain thus making it a DASA.
- private_key is the cryptographic key which is used to sign authorization requests. Google has a copy of the public key and uses it to validate that the API call is being made by the DASA account. Keep oauth2service.json safe and private! It’s the only file needed to use the DASA account!
-
Now grant the service account delegated permissions. Head to admin.google.com > Account > Admin roles. If you don’t already have a delegated admin role created with the permissions you want the DASA account to have you can use a system role or create your own.
Pro tip GAM now has the ability to create an admin role that has all delegate permissions (Super delegate which is not the same as a super admin) as well as an admin role that has all permissions that can be scoped to an OrgUnit (Super OU delegate). With a regular GAM setup, try running:
gam create adminrole "Super Delegate" privileges all
or to create an admin role with all privileges that can be scoped to an OrgUnit:
gam create adminrole "Super OU Delegate" privileges all_ou
-
Now assign your service account the delegated admin role. You’ll need the service account email address from step 3. With the role opened in the admin console, click "Assign service accounts" and enter the email address.
-
Still in the admin console, head to Account > Account settings > Profile and record the Customer ID value. You’ll need this in the next steps.
-
Now we need to tell GAM which Workspace / Cloud Identity domain to use. Remember, the DASA account in oauth2service.json is not a member of your domain. We can tell GAM7 which domain to use with gam.cfg variables: The following variables in
gam.cfg
must be set whenenable_dasa
is True:admin_email
,customer_id
anddomain
,customer_id
may not be set tomy_customer
.
gam config enable_dasa true admin_email [email protected] customer_id <Customer ID from step 6> domain domain.com save
Need more help? Ask on the GAM Discussion Group
Update History
Installation
- How to Install GAM7
- How to Upgrade GAMADV-XTD3 to GAM7
- How to Upgrade Legacy GAM to GAM7
- How to Update GAM7
- Install GAM as Python Library
- GAM7 on Chrome OS Devices
- GAM7 on Android Devices
- Google Network Addresses
- HTTPS Proxy
- SSL Root CA Certificates
- How to Uninstall GAM7
Configuration
- Authorization
- GAM Configuration
- Running GAM7 securely on a Google Compute Engine
- Using GAM7 with a delegated admin service account
- Using GAM7 with a YubiKey
Notes and Information
- Upgrade Benefits
- Questions? Visit the GAM Discussion Forum
- GAM Public Chat Room
- Scripts
- Other Resources
- Drive REST API v3
- BNF Syntax
- GAM Return Codes
- Python Regular Expressions
- Rclone
Definitions
Command Processing
- Bulk Processing
- Command Line Parsing
- Command Logging and Progress
- Command data from Google Docs/Sheets/Storage
- CSV Special Characters
- CSV Input Filtering
- CSV Output Filtering
- Meta Commands and File Redirection
- Permission matches
- Tag Replace
- Todrive
Collections
Client Access
- Addresses
- Administrators
- Alert Center
- Aliases
- Calendars
- Calendars - Access
- Calendars - Events
- Chrome Auto Update Expiration Counts
- Chrome Browser Cloud Management
- Chrome Device Needs Attention Counts
- Chrome Installed Apps
- Chrome Policies
- Chrome Printers
- Chrome Profile Management
- Chrome Version Counts
- Chrome Version History
- ChromeOS Devices
- Classroom - Courses
- Classroom - Guardians
- Classroom - Invitations
- Classroom - Membership
- Cloud Channel
- Cloud Identity Devices
- Cloud Identity Groups
- Cloud Identity Groups - Membership
- Cloud Identity Policies
- Cloud Storage
- Context Aware Access Levels
- Customer
- Domains
- Domains - Verification
- Domain People - Contacts & Profiles
- Domain Shared Contacts - Global Address List
- Email Audit Monitor
- Find File Owner
- Google Data Transfers
- Groups
- Groups - Membership
- Inbound SSO
- Licenses
- Mobile Devices
- Organizational Units
- Reports
- Reseller
- Resources
- Send Email
- Schemas
- Shared Drives
- Sites
- Users
- Unmanaged Accounts
- Users - Signout and Turn off 2-Step Verification
- Vault - Takeout
- Version and Help
Special Service Account Access
Service Account Access
- Users - Analytics Admin
- Users - Application Specific Passwords
- Users - Backup Verification Codes
- Users - Calendars
- Users - Calendars - Access
- Users - Calendars - Events
- Users - Chat
- Users - Classification Labels
- Users - Classroom - Profile
- Users - Deprovision
- Users - Contacts
- Users - Contacts - Delegates
- Users - Drive - File Selection
- Users - Drive - Activity/Settings
- Users - Drive - Cleanup
- Users - Drive - Comments
- Users - Drive - Copy/Move
- Users - Drive - Files-Display
- Users - Drive - Files-Manage
- Users - Drive - Orphans
- Users - Drive - Ownership
- Users - Drive - Permissions
- Users - Drive - Query
- Users - Drive - Revisions
- Users - Drive - Shortcuts
- Users - Drive - Transfer
- Users - Forms
- Users - Gmail - Client Side Encryption
- Users - Gmail - Delegates
- Users - Gmail - Filters
- Users - Gmail - Forwarding
- Users - Gmail - Labels
- Users - Gmail - Messages/Threads
- Users - Gmail - Profile
- Users - Gmail - S/MIME
- Users - Gmail - SendAs/Signature/Vacation
- Users - Gmail - Settings
- Users - Group Membership
- Users - Keep
- Users - Looker Studio
- Users - Meet
- Users - Classroom - Profile
- Users - People - Contacts & Profiles
- Users - Photo
- Users - Profile Sharing
- Users - Shared Drives
- Users - Spreadsheets
- Users - Tasks
- Users - Tokens
- Users - YouTube
GAM Tutorials
- Account Auditing
- Calendar Settings
- Chat Bot commands
- Chrome Browser Management
- Chrome Policy Settings
- Context Aware Access levels
- Data Transfers
- Domain Verification
- Google Drive Management
- Group Settings
- Inbound SSO Settings
- Managing Admins
- Managing Classroom
- Managing Custom User Schemas
- Managing Devices
- Managing Organizations
- Managing Product Licenses
- Managing Users, Groups, Aliases, Domains, Mobile and Chrome Devices, and Resource Calendars
- OAuth Authentication Related Commands
- Print Users, Groups, Aliases, Mobile and Chrome OS devices, OUs, Licenses and Reports
- Printers
- Unmanaged Users and Invitations
- User Email Settings
- User Security Settings