[vrosas]

Why didn’t you just have the customer create a service account and then send you the key? Or you’d just have one master service account and the customer would give you permission to impersonate the one they created? I’m sorry you ran into this but there were other solutions.

[agwa]

Having the customer send me the key is less secure because that key never gets rotated. Google wants to discourage long-lived credentials so badly that new organizations can't even create service account keys by default anymore.

Having the customer grant permission to a single master service account is vulnerable to confused deputy attacks.

In any case, why should I have to pursue "other solutions" to something that's in their documentation?