How to set up Google service account with permissions to send email for one user account (not Domain Wide delegation)

Question

In have set up a service account for a particular project and that project has the "Gmail API" added to it as an enabled API.

Is there a way to set up permissions for one of the user accounts on the Google workspace account (not every account) so that that service account can send emails for that user account only?

Answer 1

To send emails on behalf of a Google Workspace user, you need to delegate domain-wide authority to your service account. The service account can impersonate different users one at a time. So if you are looking to impersonate one user, there is no problem as you actually specify the user's email address when making an authorized API call.

After you delegate DwD to a service account, you make the authorized API call where you specify the user's email address to impersonate. This means that the service account only has access to data from that specific account the application is impersonating.

Answer 2

A Service Account is a credential that can not access individual user data. SA can only access user data for every user via Domain Wide Delegation. In other words, using a service account is the wrong approach for your needs.

Client Id, on the other hand, is the credential used to request access to user-owned data for a specific user. This is the primary credential used when requesting access to data using Google Workspace API such as GMail Api. This credential requires user consent. However, once this consent is obtained, a server application can access user data without user being ever present. This is called offline access.

This consent takes form of an access token and a refresh token. You can obtain them using Google OAuth 2 Api and use them in a similar same way you would use a service account.