Using a service account per individual GAM user in a single project

[Phillip]

I have a scenario where a Workspace SuperAdmin and a Workspace Admin are being setup to use a single GAM project.

GAM will be installed to each individuals glcoud shell instance.

A GCP Platform owner will create the project, but does not have Workspace Admin access and doesn't have access to admin.google.com.

GAMADV setup instructions generally seem to imply that the Workspace admin should have project creation permissions, but in my case they don't and it is causing some order of operation confusion.

Though there are some instructions for using an existing project. https://github.com/taers232c/GAMADV-XTD3/wiki/Authorization#use-an-existing-project-for-gam-authorization

I believe the procedure once the project is created is to have each workspace admin issue a `gam use project` with an saname which will create new service account. For the non-super admin enabling API permissions for the service account will require the super-admin to accept the client id for trust.

Most of the instructions opt to re-use oauth2service.json credentials and share the service account configuration.
Are there other advantages to creating multiple service accounts this way. Perhaps in the Audit logs, and/or limited SA scope for one user vs another?

[Brian Kim]

If you must share same GCP project, make sure you use seperate service account and for each admin.

Both client_secrets.json (this can be shared) and oauth2service.json (this is your service account key) can be downloaded manually from GCP console .

Once downloaded you can move them to your .gam directory (typically in $HOME) and create your own oauth2.txt by doing gam laugh create.

https://hjkimbrian.medium.com/practical-gam-understanding-json-6e09d2d9a866

https://cloud.google.com/iam/docs/best-practices-service-accounts

https://support.google.com/a/answer/14437356?hl=en