google_service_account should support domain wide delegation

[ramyala]

Terraform Version

Terraform v0.11.8
+ provider.google v1.17.1
+ provider.kubernetes v1.2.0
+ provider.random v2.0.0
+ provider.template v1.0.0

Affected Resource(s)

Please list the resources as a list, for example:

• google_service_account

Terraform Configuration Files

resource "google_service_account" "sample" {
  account_id   = "sample"
  display_name = "sample service account"
}

Expected Behavior

The above resource doesn't have the ability to specify Gsuite domain wide delegation option. It would be helpful to support it through terraform.

b/299683663

[paddycarver]

Sadly, we're not able to support this until the upstream API has support for it. From what I can see, it does not, currently. Further, this seems to be a GSuite feature, not a GCP feature, which complicates things further.

Not saying it'll never be possible, but from what I can see, today it's not something we have the ability to support.

[morgante]

To reiterate @paddycarver's point it's been an ongoing discussion internally within Google about whether we can have an API for enabling domain-wide delegation.

[primeroz]

@morgante is this ongoing discussion got you anywhere ?

[morgante]

No updates currently unfortunately.

[jravetch]

@morgante Any updates you can share?

[sannnan]

so any update so far?

[BradErz]

would be nice to have this

[tbrown-payments]

Hey! Hoping this gets resolved.

[eschultink]

@morgante any forum where we can weigh in to help it get prioritized within Google?

[morgante]

@eschultink If you have a Google account team, please ask them to file a request for prioritizing this.

[eschultink]

is this now moot? we've seen the checkbox in the GCP console to enable DWD for the service account has disappeared. The Oauth Client ID seems to be provisioned the first time someone grants the SA access via the Google Workspace Admin console?

[abjoseph]

Same as @eschultink, I would like to know the answer to that question as well. Are all service accounts going forward-implicitly granted DWD privileges by default? If so, is the only required course of action to delegate permissions, is to explicitly grant OAuth scopes within the Google Workspace Admin console to a given Client ID?

[eschultink]

I'm convinced this is no longer needed; we have a terraform module that creates GCP Service Accounts intended to be used as OAuth Clients for connecting to Google Workspace APIs. Our customers use that to create the SAs and then do the grants via the Google Workspace Admin console - without ever logging into GCP console and flipping the DWD thing. It's worked for dozens of companies without a problem.

[ccogan-lh]

Any update on this?

[ScottSuarez]

Forwarding to service team, but I don't believe this is possible due to API limitations.

[benhxy]

As

Sadly, we're not able to support this until the upstream API has support for it. From what I can see, it does not, currently. Further, this seems to be a GSuite feature, not a GCP feature, which complicates things further.

Not saying it'll never be possible, but from what I can see, today it's not something we have the ability to support.

This is correct. This requires GSuite exposing an API.

[eschultink]

@benhxy - no, this used to be a flag you had to flip on the SA inside GCP to be able to use it for DWD in Google Workspace - but that has disappeared and now seems to automatically turn into an OAuth Client inside GCP when you first make a DWD grant to via the Google Workspace Admin console.

So there is nothing to be done on GCP side anymore. So from my perspective, this can be closed.

Making the actual DWD grant is indeed a Google Workspace thing, not a GCP thing - so is out of scope for the GCP terraform provider. Google Workspace does not have an API for it anyways, so even a Google Workspace terraform provider couldn't support it atm.