I'm working on a automated backups of Google Cloud anizations and projects and for accessing the data on those OAuth2 is needed as service accounts and API keys don't have the right permissions.

I don't want customers to have to go through consent screen, is there a way for us to set up an application/project on our GCP account that would handle everything relating to OAuth2 and consent screen and have the customer just install that app or project on their GCP granting us access and permissions to data?

Tried the standard OAuth2 procedure and while it would work fine for backups where the user would only grant us access on consent screen once and we would have refresh token, for restoring they would need to go through OAuth2 process again.

I'm working on a automated backups of Google Cloud anizations and projects and for accessing the data on those OAuth2 is needed as service accounts and API keys don't have the right permissions.

I don't want customers to have to go through consent screen, is there a way for us to set up an application/project on our GCP account that would handle everything relating to OAuth2 and consent screen and have the customer just install that app or project on their GCP granting us access and permissions to data?

Tried the standard OAuth2 procedure and while it would work fine for backups where the user would only grant us access on consent screen once and we would have refresh token, for restoring they would need to go through OAuth2 process again.

• google-cloud-platform
• oauth-2.0
• google-oauth
• google-iam

Share Improve this question Follow asked Nov 16, 2024 at 16:07 amarzamarz 1

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

Service Accounts are part of Google OAuth2.

You should be using Service Accounts for automated processes that don't require human intervention.

It's unclear from your question.

Service Accounts are more constrained than user accounts.

For Google Cloud services (using IAM) there's no (little?) functional difference between Service Accounts and user accounts.

For Google Workspace (not covered by IAM) there are differences. You need to use a domain-wide delegated service account with impersonation for functional equivalence. This is to help protect access to user data in these services.

Google has extensive and stringent mechnanisms for detecting abuse of user accounts. Any attempt to get around these is likely to be detected and will cause you problems (e.g. account disablement).