0

How can I limit the Oauth2 scope when logging in with my user principal using (non service account):

gcloud auth login

Background: I created a Gsuite Takeout, got the Takeout Bucket. Now I want to download all the files, but I want to give gcloud read-only permissions to Google Storage. Creating a service account with limited scope seems not to work, since a Takeout Bucket seems somehow "special" - any more details on that?

Dave M
  • 4,494
  • 21
  • 30
  • 30
dim
  • 1

2 Answers2

1

Based on your description, my understanding of your use case is that you would like to limit permissions to Cloud Storage to avoid misuse of your credentials, please correct me if I am wrong. But the ‘takeout’ operation requires an admin account, which consists of comprehensive permissions so it seems to be conflicting.

You may use 'gcloud auth revoke' after the takeout and other operations, in order to disallow access via the gcloud CLI by your account.

Hope it helps.

Yanan C
  • 11
  • 2
0

I am not very familiar with Gsuite Takeout, but I have seen my fare share on Google Cloud Storage. There is something that is bothering me here, are you trying to limit your own gsuite account? A do not understand very well the purpose of giving your account read only permissions to GCS. I have found this post where the use of gsutil and your account is suggested. But please, do elaborate on your use case.

I look forward to your reply.

Oqueli A. Martnez
  • 141
  • 3
  • Hi, Yes I try to limit my own gsuite account :) I want to download the Takeouts on a PC where I do not need to have full-scope OAuth2 credentials for my Gsuite Admin laying around.. Does that make my usecase more clear? – dim Apr 03 '20 at 05:24