Domain-wide delegation best practices

Use direct service account access or OAuth consent instead

Avoid using domain-wide delegation if you can accomplish your task directly using a service account or by using OAuth consent.

If you can't avoid using domain-wide delegation, restrict the set of OAuth scopes that the service account can use. Although OAuth scopes don't restrict which users the service account can impersonate, they restrict the types of user data that the service account can access.

Avoid using domain-wide delegation

Restrict service account key creation and upload

Use organization policies to restrict key creation and upload for service accounts with domain-wide delegation. This limits service account impersonation through service account keys.

Don't let users create or upload service account keys

Disable automatic role grants ​​for default service accounts

Service accounts that are created by default are granted the Editor role, which allows the account to read and modify all resources in the Google Cloud project. You can disable automatic role grants for default service accounts to ensure that they don’t automatically get the Editor role and can’t easily be exploited by a malicious user. 

Don't use automatic role grants for default service accounts

Limit lateral movement

Lateral movement is when a service account in one project has permission to impersonate a service account in another project. This can result in unintended access to resources. Use "lateral movement insights" to detect and limit lateral movement through impersonation. 

Use lateral movement insights to limit lateral movement

Limit access to service accounts with domain-wide delegation

Don't let a user change the allow policy of a service account if the service account has more privileges than the user. Use IAM roles to limit access to service accounts with domain-wide delegation grants. 

Avoid letting users change the allow policies of more privileged service accounts

Grant access to essential privileges only

Ensure that service accounts with domain-wide delegation have only the essential privileges needed to perform their intended functions. Do not give access to non-essential OAuth scopes.

Host service accounts in dedicated Google Cloud projects

Ensure that service accounts with domain-wide delegation are hosted in dedicated Google Cloud projects. Do not use those projects for other business needs.

Avoid using service account keys

Using service account keys is not necessary to perform domain-wide delegation. Use the signJwt API instead. 

Avoid using service account keys for domain-wide delegation

Restrict access to projects that have domain-wide delegation

Minimize the number of people that have edit access to Google Cloud projects with domain-wide delegation set up. You can use Cloud Asset Inventory API to understand who has access to service accounts. For example, use Cloud Shell to run:

gcloud asset get-effective-iam-policy
--scope=organizations/<ORG_ID>
--names=//iam.googleapis.com/projects/<PROJECT_ID>/serviceAccounts/
<SERVICE_ACCOUNT_ID>

• ORG_ID: Your Google Cloud organization ID. Learn more
• PROJECT_ID: ID of the Google Cloud project the service account resides under. Learn more
• SERVICE_ACCOUNT_ID: ID of the service account. The ID is listed under Client ID on the Admin console domain-wide delegation page, or in the service account’s email address. Learn more

Look for permissions or roles such as iam.serviceAccountTokenCreator or iam.serviceAccountKeyAdmin owner and editor to understand who has direct or inherited permissions to the service account.

Understand who has access to Google Cloud service accounts