Google Drive Domain-Wide Delegation (DWD)

18 min

google drive domain wide delegation (dwd) edition enterprise only supported deployments self hosted the google drive dwd integration scans files and comments across an entire google workspace domain by impersonating users via a service account, enabling org wide scanning without individual user consent for single account scanning, see the google drive integration instead prerequisites requirement detail google workspace plan business, enterprise, education, or nonprofits google workspace admin super admin access to the admin console gcp project owner or editor access to a google cloud platform project configuration the google drive dwd integration is configured via a local configuration file web configuration in trufflehog is not available for this source dwd setup requires four phases in google's consoles before trufflehog can scan create a gcp service account, enable domain wide delegation, generate a json key, and authorize the service account in google workspace the trufflehog configuration itself is the fifth and final step step 1 create a gcp service account in the google cloud console, create or select a project navigate to apis & services > library and enable the following apis api purpose google drive api access user drive files admin sdk api list users in the domain required only when scanning all users navigate to iam & admin > service accounts and click + create service account name the account (e g , trufflehog drive scanner) and click create and continue skip optional permissions and click done step 2 enable domain wide delegation on the service account click the service account you just created click advanced settings (or show domain wide delegation ) check enable google workspace domain wide delegation and click save copy the client id — a numeric string like 123456789012345678901 you'll need it in step 4 step 3 create a json key in the service account details, go to the keys tab click add key > create new key , select json , and click create save the downloaded file securely its contents go into the service account json field in the trufflehog configuration if your organization has disabled service account key creation (the iam disableserviceaccountkeycreation policy), contact your gcp organization admin to request an exception step 4 authorize the service account in google workspace go to the google admin console and sign in with a super admin account navigate to security > access and data control > api controls click manage domain wide delegation , then add new enter the client id from step 2 enter the following oauth scopes (comma separated, no spaces) https //www googleapis com/auth/drive readonly,https //www googleapis com/auth/admin directory user readonly click authorize the admin directory user readonly scope is only required when scanning all domain users if you provide an explicit include users list, only drive readonly is needed step 5 configure trufflehog local configuration supports three scoping variants depending on which users you want to scan all domain users — requires a super admin email to enumerate users via the admin sdk specific users only — provide an explicit list no super admin needed all users except specific users — combine domain enumeration with an exclusion list all domain users sources \ connection "@type" type googleapis com/sources googledrive dwd service account json | { "type" "service account", "project id" "your project id", "private key id" " ", "private key" " begin private key \n \n end private key \n", "client email" "your sa\@your project iam gserviceaccount com", "client id" " " } admin email "admin\@yourcompany com" name gd dwd type source type google drive specific users only sources \ connection "@type" type googleapis com/sources googledrive dwd service account json | { } include users \ "user1\@yourcompany com" \ "user2\@yourcompany com" name gd dwd targeted type source type google drive all users except specific users sources \ connection "@type" type googleapis com/sources googledrive dwd service account json | { } admin email "admin\@yourcompany com" exclude users \ "service account\@yourcompany com" \ "external contractor\@yourcompany com" name gd dwd filtered type source type google drive configuration options field type required description dwd service account json string yes full contents of the service account json key file dwd admin email string conditional super admin email used to enumerate domain users via the admin sdk required when include users is not specified dwd include users list no explicit list of user emails to scan when set, admin email is not required dwd exclude users list no user emails to skip when scanning all users ignored when include users is set capabilities feature supported org wide scanning via impersonation ✅ scan file contents (docs, sheets, slides, drawings) ✅ scan file comments and replies ✅ scan files in my drive and shared drives ✅ shared file deduplication ✅ skip suspended and archived users ✅ verification checklist after setup, confirm item where to find it service account json key downloaded in step 3 client id authorized in workspace admin console > security > api controls > domain wide delegation oauth scopes match exactly drive readonly and admin directory user readonly admin email is a super admin admin console > directory > users (check role) dwd enabled on service account gcp console > service account > advanced settings how dwd scanning works ┌──────────────┐ ┌─────────────────┐ ┌──────────────────┐ │ trufflehog │ ──────> │ service account │ ──────> │ user's drive │ │ │ │ (impersonates) │ │ (via dwd) │ └──────────────┘ └─────────────────┘ └──────────────────┘ initialization the source validates the configuration (service account json, admin email) user enumeration if include users is provided, that list is used directly otherwise, the admin sdk (impersonating admin email) enumerates all domain users filtering suspended, archived, and excluded users are skipped automatically per user scanning for each user, trufflehog creates an impersonated drive service, lists files, and scans contents and comments errors on a single user don't stop the scan — it continues to the next user user filtering when scanning all users (no include users), users are filtered automatically based on their state user state behavior active scanned suspended skipped archived skipped in exclude users skipped when using include users, the list is used as is if a user in the list is suspended, archived, or invalid, the impersonation fails, the error is logged, and scanning continues with the next user shared file deduplication when scanning multiple users, files shared between users are deduplicated automatically file type detection behavior files shared from my drive file shared == true scanned once, skipped for subsequent users files in shared drives file driveid != "" scanned once, skipped for subsequent users private files neither condition scanned (appears only for one user) google file type exports google native file types are exported before scanning google file type exported as google docs plain text google sheets csv google slides plain text google drawings pdf notes files larger than 10 mb are skipped empty files are also skipped google groups, service accounts, and external users cannot be scanned groups don't have drive storage, service accounts aren't in the workspace user directory, and external users can't be impersonated troubleshooting error cause solution unauthorized client dwd scopes not authorized in workspace admin verify client id and scopes in admin console > api controls > domain wide delegation not authorized to access this resource admin email is not a super admin use a super admin email for admin email invalid subject / user not found impersonating a non existent user, group, or external email verify the email is a valid user in the domain user is suspended impersonating a suspended user remove from include users; auto filtered when scanning all users service account key creation is disabled organization policy blocks key creation contact your gcp org admin for an exception admin sdk api has not been enabled api not enabled in gcp enable admin sdk api in gcp console security and data handling read only access the scanner only requires drive readonly it cannot modify, delete, or create content in google drive no data persistence all file content is downloaded and scanned in memory no document content is stored by trufflehog least privilege scopes only drive readonly and admin directory user readonly are requested credential redaction service account json keys are automatically redacted from log output audit trail google workspace audit logs show impersonation events from the service account