top | item 46954177

(no title)

agwa | 20 days ago

Having the customer send me the key is less secure because that key never gets rotated. Google wants to discourage long-lived credentials so badly that new organizations can't even create service account keys by default anymore.

Having the customer grant permission to a single master service account is vulnerable to confused deputy attacks.

In any case, why should I have to pursue "other solutions" to something that's in their documentation?

discuss

No comments yet.