You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf.
Your company does not want to rely on the current user's credentials.
It also wants to follow Google-recommended practices.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
To enable an App Engine application to access a user's Google Drive on their behalf without relying on the user's credentials, and following Google-recommended practices, the recommended approach is to use a Service account with domain-wide delegation.
Option A: Creating a new Service account, and giving all application users the role of Service Account User is not the best approach as it can cause issues with managing access controls and maintaining security best practices.
Option B: Creating a new Service account, and adding all application users to a Google Group with the role of Service Account User is a better approach but still not the recommended practice.
Option C: Using a dedicated G Suite Admin account to authenticate the application's operations is not recommended as it can lead to security issues and can be difficult to manage access controls.
Option D: Creating a new service account, and granting it G Suite domain-wide delegation, and having the application use it to impersonate the user is the recommended approach. With this approach, the application uses the service account to act on behalf of the user, and the user's credentials are not needed. Additionally, by using domain-wide delegation, administrators can set granular permissions to ensure that the service account only has access to the necessary resources.
Therefore, the correct answer is D - Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.