Create an alias for a Google Service Account Email?

Question

I've shared a Google Sheet with my Google Service account email, which looks something like:

[email protected]

This permits my application to access that Google Sheet.

I'd like to be able to share the Google Sheet with a custom email address (e.g. [email protected]) aliased to that ugly autogenerated service account email ([email protected]).

How could I go about doing this?

edit:

Example of code used for interacting with Google APIs

from google_auth_httplib2 import AuthorizedHttp
from google.oauth2 import service_account
import pygsheets

def _get_gc():
    scope = ['https://www.googleapis.com/auth/spreadsheets']
    credentials = service_account.Credentials.from_service_account_file(
        settings.GOOGLE_SERVICE_AUTH_FILE,
        scopes=scope,
    )
    http = AuthorizedHttp(credentials, http=HTTP)
    logger.info('Created GC creds, returning...')
    return pygsheets.authorize(custom_credentials=credentials, http=http)


def do_something(url):
    gc = _get_gc()
    spreadsheet = gc.open_by_url(url)

Answer 1

Issue – Service accounts cannot have aliases:

Unlike regular accounts, service accounts cannot have aliases. Their email address is defined by:

• The name of the corresponding project.
• The name of the service account.

You cannot give it additional aliases.

Workaround – Impersonate a regular account:

If you want to avoid sharing the Google Sheets with the autogenerated service account email address, but you want to keep using the service account to interact with the API, your best option would be to share the Sheets with a regular account that has an acceptable email address, and use the service account to impersonate this regular account, when interacting with the API.

1. Delegating domain-wide authority:

One of the most useful things about a service account is that you can grant it the ability to impersonate any user in your domain and access data on behalf of it. This is called domain-wide delegation, and it can be activated for a service account by following these steps:

Important: You need to be an administrator of the G Suite domain in order to delegate domain-wide authority.

2. Impersonating:

At this point, your service account can impersonate any user in the account. To actually impersonate an account, you would just need to specify which account you want to impersonate when building the credentials.

In your specific case, you would need to provide the parameter subject when calling from_service_account_file, as you can see on the domain-wide delegation section of this page:

    credentials = service_account.Credentials.from_service_account_file(
        settings.GOOGLE_SERVICE_AUTH_FILE,
        scopes=scope,
        subject="[email protected]"
    )

Reference:

• Delegating domain-wide authority to the service account