I'm developing an application that needs to read and label emails from a single, specific mailbox that is a part of a google workspace.
I managed to connect a service account to the workspace using domain-wide delegation but the issue is that it has full access to every mailbox in the workspace, which is an issue because I NEED follow the least privilege principle.
My goal is to restrict this Service Account so it can only impersonate one specific user (e.g., [email protected]).
I lurked around in the google workspace admin console and I didn't find anything... Maybe there is a way to restrict the scope of users for the service account representing my app?
Thanks!
credentials = service_account.Credentials.from_service_account_info(
creds_dict,
scopes=scopes,
subject='[email protected]' // <- i could change it to any user in the org and it would still be working which is not acceptable. (for the domain-wide delegation)
)
gmail_service = build("gmail", "v1", credentials=credentials, cache_discovery=False)
I tried creating a Security Group, and somehow restrict the app in the App Access Control settings in the Admin Console, but i haven't found any possibility to do so.
