I don't have a lot of experience with GCP, so I am confused about how this is working in my case. I am trying to put a restriction on the Google Maps API (New Places API). The script looks like this, but it does not matter much—it's just for demonstration.

import asyncio

from google.api_core.client_options import ClientOptions
from google.maps import places_v1
import os

async def search_pizza_times_square():
    # Create a client

    # client_options = ClientOptions(api_key="")

    # client = places_v1.PlacesAsyncClient(client_options=client_options)
    client = places_v1.PlacesAsyncClient()

    # Initialize request argument(s)
    request = places_v1.AutocompletePlacesRequest(
        input="Proto"

    )


    # Make the request
    response = await client.autocomplete_places(request=request)

    # Handle the response
    for suggestion in response.suggestions:
        if suggestion.place_prediction:
            print(f"Place: {suggestion.place_prediction.text.text}")
            print(f"Place ID: {suggestion.place_prediction.place_id}")
            print("---")





if __name__ == "__main__":
    credential_path = "my-com-f0d214b40429.json"
    os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = credential_path
    asyncio.run(search_pizza_times_square())

I understand that the Google Maps API is not a part of GCP and can't be restricted by IAM permissions inside GCP. So, I've issued an API key and restricted it by IP address. This works if I configure the client in the script to use the API key.

However, by default, if I do not provide an API key, the script will try to use ADC and will get credentials from the service account configured for the script application. To test whether the service account is forbidden from accessing the Google Maps API, I created a new test service account with zero assigned roles. My expectation was that with 0 roles, there would be 0 permissions. However, if I run the script using the credentials of that service account, I still have access to the Google Maps API. This confuses me. How is this possible?

The Internet suggests that permissions can also be granted through Google Workspace:

Security > API controls > Domain-wide delegation

I see some service users listed there, but they all have different Client IDs than my service account. So again, my expectation is that the service account should have 0 permissions.

The Policy Analyzer in GCP also returns an empty list of resources and permissions available to the service account.

In summary, my goal is to have a service account with tightly restricted permissions - both in GCP IAM permissions and in creating OAuth credentials with scopes that grant access to APIs that are not part of GCP.

How can I achieve this?

I don't have a lot of experience with GCP, so I am confused about how this is working in my case. I am trying to put a restriction on the Google Maps API (New Places API). The script looks like this, but it does not matter much—it's just for demonstration.

import asyncio

from google.api_core.client_options import ClientOptions
from google.maps import places_v1
import os

async def search_pizza_times_square():
    # Create a client

    # client_options = ClientOptions(api_key="")

    # client = places_v1.PlacesAsyncClient(client_options=client_options)
    client = places_v1.PlacesAsyncClient()

    # Initialize request argument(s)
    request = places_v1.AutocompletePlacesRequest(
        input="Proto"

    )


    # Make the request
    response = await client.autocomplete_places(request=request)

    # Handle the response
    for suggestion in response.suggestions:
        if suggestion.place_prediction:
            print(f"Place: {suggestion.place_prediction.text.text}")
            print(f"Place ID: {suggestion.place_prediction.place_id}")
            print("---")





if __name__ == "__main__":
    credential_path = "my-com-f0d214b40429.json"
    os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = credential_path
    asyncio.run(search_pizza_times_square())

I understand that the Google Maps API is not a part of GCP and can't be restricted by IAM permissions inside GCP. So, I've issued an API key and restricted it by IP address. This works if I configure the client in the script to use the API key.

However, by default, if I do not provide an API key, the script will try to use ADC and will get credentials from the service account configured for the script application. To test whether the service account is forbidden from accessing the Google Maps API, I created a new test service account with zero assigned roles. My expectation was that with 0 roles, there would be 0 permissions. However, if I run the script using the credentials of that service account, I still have access to the Google Maps API. This confuses me. How is this possible?

The Internet suggests that permissions can also be granted through Google Workspace:

Security > API controls > Domain-wide delegation

I see some service users listed there, but they all have different Client IDs than my service account. So again, my expectation is that the service account should have 0 permissions.

The Policy Analyzer in GCP also returns an empty list of resources and permissions available to the service account.

In summary, my goal is to have a service account with tightly restricted permissions - both in GCP IAM permissions and in creating OAuth credentials with scopes that grant access to APIs that are not part of GCP.

How can I achieve this?

• google-cloud-platform

• Interesting question. Because Maps isn't controlled by IAM, IAM permissions can't control the Service Account's authorization for this Service. I assume (!?) that the Service Account is an identity in the Project in which Maps is enabled? As a result, the Service Account is authenticated (!) and its authorization is governed by OAuth2 scopes. I suspect (!) that the default scope in your code is https://www.googleapis/auth/cloud-platform and that this is also a default scope required by Places API ergo your Service Account is both authenticated and authorized. – DazWilkin Commented Mar 31 at 19:27
• Even though made redundant by IAM, OAuth scopes do still apply to Cloud services (governed by IAM) but the Cloud services default to this broad auth/cloud-platform scope too and then IAM requires an appropriate identity*permission bindings to permit access. Here's the complete list of OAuth scopes by Google Service (note all services including Cloud are listed). – DazWilkin Commented Mar 31 at 19:30

1 Answer 1

Blocking of Google Cloud service account from automatically creating OAuth credentials may require disabling its ability to issue OAuth tokens, removing any existing service account keys, and ensuring no alternative authentication methods are in place.

• Disable the service account from issuing OAuth tokens by running:

gcloud iam service-accounts keys disable KEY_ID \
    --iam-account=SA_NAME@PROJECT_ID.iam.gserviceaccount \
    --project=PROJECT_ID

• Next, remove any existing service account keys by listing them with:

gcloud iam service-accounts keys delete KEY_ID \
    --iam-account=SA_NAME@PROJECT_ID.iam.gserviceaccount

• To prevent OAuth-based access, modify your script to use an API key instead:

from google.api_core.client_options import ClientOptions
from google.maps import places_v1

client_options = ClientOptions(api_key="YOUR_API_KEY")
client = places_v1.PlacesAsyncClient(client_options=client_options)

These steps ensure that your service account is restricted from using OAuth credentials while still allowing explicit authentication methods like API keys.