Currently, gog auth service-account set <account> --key <file> appears to always use impersonation (adds a sub claim). Without Domain-Wide Delegation enabled the access is not possible.
If DWD is enabled, gog successfully impersonates a user — but then it has access to everything that user can access in Google Drive, which prevents least-privilege setups.
Use case
I want to use a service account without impersonation, so it can access only:
- Files it created
- Folders explicitly shared with the service account email
This is a common automation pattern and does not require DWD.
Expected behavior
- Allow service account authentication without injecting a sub claim.
- Optionally add a flag like --impersonate instead of making impersonation implicit.
This would enable strict folder-level isolation and better security practices.
Currently,
gog auth service-account set <account> --key <file>appears to always use impersonation (adds a sub claim). Without Domain-Wide Delegation enabled the access is not possible.If DWD is enabled, gog successfully impersonates a user — but then it has access to everything that user can access in Google Drive, which prevents least-privilege setups.
Use case
I want to use a service account without impersonation, so it can access only:
This is a common automation pattern and does not require DWD.
Expected behavior
This would enable strict folder-level isolation and better security practices.