Guide: Service Accounts in Google Workspace — Vendor-Owned vs Customer-Owned Security

[MoniWork]

Service Accounts: Who Owns the Credential Matters

Every Google Workspace integration that reads your directory, audits email settings, or manages groups needs a service account. But there's a question most IT admins skip during vendor onboarding: who owns that service account?

Think of it like a door card for a building. When a vendor needs access, there are two approaches:

1. You issue them a card (customer-owned SA) — You create a GCP project, generate a service account key, and upload it to the vendor. You own it, but that JSON key file now lives in two places: your project and the vendor's infrastructure.

2. They bring their own card (vendor-owned SA) — The vendor provides a service account from their GCP project. You authorize it in Google Admin Console with domain-wide delegation. No key file changes hands.

The security implications are completely different. With a customer-owned SA, the private key leaves your control the moment you upload it. With a vendor-owned SA, the customer's only job is authorization — and revocation is one click in Admin Console.

There's actually a third model that takes this further: keyless authentication. No static key file exists anywhere. The vendor's infrastructure gets a temporary identity from the cloud platform at runtime, and Google's IAM service handles the signing server-side.

Five questions to ask before granting any vendor access to your Google Workspace:

• Do I need to create a GCP project, or do you provide a service account?
• If I upload a key file, how is it stored on your end?
• Can I revoke access from Google Admin Console without contacting you?
• What specific OAuth scopes does your service account request?
• Do you use keyless authentication, or does a static key file exist somewhere?

Full breakdown with architecture diagrams and a vendor security checklist:

👉 Service Accounts in Google Workspace: Vendor vs Customer-Owned Security Explained

Useful for anyone evaluating Google Workspace integrations or building a vendor security review process.