'How to check Google Service Account access for a domain?

I have a service account that I have created in a project in GCP. This service account will then be provided access to different domains using Domain-wide Delegation.

When the Domain-wide Delegation is set up, I need to control scenarios where the correct scopes are not allocated to the service account. Is there a way that a service account can see what scopes it has access to?

The only way I can think of currently is just to try certain API calls to see if they return 403 or not, but that seems like a waste of an API call. I know when using OAuth2, you can call https://www.googleapis.com/oauth2/v1/tokeninfo?access_token= to get the scopes, but I would need to know the customerID of the domain I am querying against. All of the API calls I plan on using will either be for a specific resource, or take a customerID parameter, so access could be different per domain.

If it's worth knowing, I am currently using the google-api-dotnet-client as it handles a lot of the authentication for me, but if this is easier to do in HTTPS calls then I'm happy to do that.

Update: Thought it might help to show an example of the code I am using to access the Google APIs, to show where I might run into issues. The code itself works fine, I am just trying to think about all possible scenarios where things could go wrong

string serviceAccountEmail = "";
string serviceAccountPrivateKey = "";

ServiceAccountCredential serviceCredential = new(new ServiceAccountCredential.Initializer(serviceAccountEmail)
{
    Scopes = new[] {
        DirectoryService.Scope.AdminDirectoryDeviceChromeosReadonly
    },
    User = "" // This would be different per Google account I am accessing
}.FromPrivateKey(serviceAccountPrivateKey));

DirectoryService service = new(new BaseClientService.Initializer()
{
    HttpClientInitializer = serviceCredential
});

string customerId = ""; // This would be different per Google account I am accessing

// This could error if the DirectoryService.Scope.AdminDirectoryDeviceChromeosReadonly was not granted to the service account
var result = await services.Chromeosdevices.List(customerId).ExecuteAsync();
google-cloud-platformgoogle-admin-sdkgoogle-workspaceservice-accounts


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

How to use use Firestore document field's HashMap key value and populate recyclerview?

how to keep GKE cluster nodes in different regions?

Google Cloud TTS API for M1 Mac

Is it possible to render a video from AfterEffects in a Google Collaboratory notebook?

Allow-IAP Firewall Rule created in default VPC in GCP getting reflected in other VPC as well

Attribute Error when importing SpeechClient from google.cloud.speech

GCP Cost billing data

What is the difference between gcloud and gsutil?

Volume not persistent in Google Cloud

Permission Denied when trying to write on a TPU VM foler

Google Cloud Free Tier will start charging for static or ephemeral IP Address?

How to create a empty folder in google storage(bucket) using gsutil command?

How can size of the root disk in Google Compute Engine be increased?

Cannot switch Firestore from Datastore to native mode on GCP

action console simulator is not working and I cannot release my project