Does "Domain Restricted Sharing" in GCP prevent service accounts from getting IAM permissions?

Question

If I turn on the Organization Policy constraint "Domain Restricted Sharing" (doc) and set it to allow only my org domain foo.com, will this prevent the slew of platform service accounts from getting their IAM permissions granted? For instance, accounts in the domain @iam.gserviceaccount.com or @developer.gserviceaccount.com. These service accounts get provisioned and given permissions all over the place. My worry is that enabling "Domain Restricted Sharing" will block these accounts from having IAM access.

Another way to ask this is: does "Domain Restricted Sharing" ignore these sorts of platform-based service accounts? If it doesn't, I feel like it would be difficult to maintain a list of exceptions.

A more fundamental question - does "Domain Restricted Sharing" only apply to Cloud Identity / Google Workspace accounts, and is hence not relevant when it comes to service accounts?

Answer 1

In this answer I am using the term Google Cloud Identities meaning identities such as service accounts, service agents, etc. that are created by Google Cloud and not by other Google services such as Gmail.

If turn on the Organization Policy constraint "Domain Restricted Sharing" ...

Yes, if the IAM service accounts are children of an organization resource associated with the given Google Workspace domain.

A more fundamental question - does "Domain Restricted Sharing" only apply to Cloud Identity / Google Workspace accounts, and is hence not relevant when it comes to service accounts?

Domain Restricted Sharing applies to all non Google Cloud Identities such a Google Workspace, Cloud Identity and Gmail style accounts. You can define members of a domain managed/controlled by Google Workspace as being allowed (me@example.com) while identities that are not part of that domain (me@gmail.com) are blocked.

At this time, only domains managed by Google Workspace are supported. Cloud Identity is not supported for specifying an allowed domain unless the domain name is also the organization name. (Note: I cannot find an authoritative reference for this statement and this may change in the future).

Answer 2

I tested the second theory by John, the policy value accepts only GWS id. Hence I don't think it is possible to add non GWS cloud identities even though the cloud identity name matches with organisation name.

Answer 3

I'm not sure if the answer is entirely accurate. The situation I ran into was setting up budget alerts that use PubSub for dispatching budget alerts and sending them to Slack. We are using Terraform for the setup but I'm sure it will be the same if you do it manually in the console.

Specifically, there is a Google managed identity being used billing-budget-alert@system.gserviceaccount.com that needs to have access to the PubSub topic that you connect with your budget alerts, and this fails with the message One or more users named in the policy do not belong to a permitted customer.

However, as pointed out by John, this restriction does not apply to your own service accounts that you create in your project, of course you can grant IAM permissions of accounts like pubsub@myproject.iam.gserviceaccount.com

For reference:

https://cloud.google.com/billing/docs/how-to/budgets-programmatic-notifications

https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#forcing_access