2

Google API Server To Server service account key is a simple json or p12 file which can be compromised in some scenarios. Is there a way to limit its use to specific IPs or domains from Google Developer Console? The support topics there are not helpful at all.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
RWS
  • 538
  • 5
  • 14

1 Answers1

1

No service accounts cant be restricted to IPs or Domains. Currently if you have the correct credentials then you can use them.

This is why you need to keep them safe. However that being said i think its a good idea. I am going to see if i can find someplace to add it as a feature request.

Note for openid signin

Signin returns an id token this id token can be verified verify the hd claim matches your domain name. Again this only works if you are authenticating with the openid scope.

Response from Google I contacted one of the developers on Google identity this was his response.

IP restrictions had some value many years ago. Now, most of the apps are hosted in the cloud and traffic can move around the world thus making the IP restriction not very useful. If service account credentials are compromised, it is time to get a new credential or they were used in an incorrect way.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
  • Thank you. This is absolutely important and I am actually surprised to see the lack of this feature. I have a similar question here https://stackoverflow.com/questions/48366036/how-to-set-google-application-credentials-without-using-a-path In my scenario I need to use the service key in a CMS module. And in this particular case it can be easily stolen by a third party module. It doesn't even matter if I store it as a file or as an option in DB. – RWS Jan 22 '18 at 12:50
  • 1
    Well your problem is easily solved. You may **not** release your credentials as part of a CMS module. https://stackoverflow.com/a/28109307/1841839 You will need to instruct your users how to create their own. – Linda Lawton - DaImTo Jan 22 '18 at 12:52
  • 1
    I did not intend to release my own creds, the value of the module is that it does something with the particular user data. But that's the problem: if they store their creds, it can be stolen relatively easy with a 3rd party module. So the problem still stands. – RWS Jan 22 '18 at 13:10
  • 1
    If you are interested in understanding why you cant add restrictions i sent an email off to Google. I have edited the question with the response. – Linda Lawton - DaImTo Jan 25 '18 at 08:57
  • Thank you. According to [manual](https://developers.google.com/identity/sign-in/web/backend-auth#verify-the-integrity-of-the-id-token), you simply need to pass account ID. Still cant see how that will help. I appreciate that you contacted a Google guy, however they simply overlook the scenario of application of service keys in CMS modules. – RWS Jan 25 '18 at 10:31