Excessive permissions recommended? #224
Assignees
Labels
bug
Something isn't working
Comments
|
Seems reasonable, as long as we are 100% sure it works fine without |
|
Work without problems in my testing, and the API docs only ask you to give the service account permissions within Google Play Console, not in GCP: https://developers.google.com/android-publisher/getting_started#service-account |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hey, I wonder why the instructions suggest giving the service account "owner" on the project. That is very unsafe and is excessive.
I actually got this working without any permissions at all - as far as I can tell the service account just needs to be added in Play Store to have permissions to publish the app, but on GCP IAM level no permissions are required. Maybe that is for features I'm not using?
I would recommend updating the README to not ask people to just give such broad permissions to the account. Happy to send a PR if you agree.
Additionally I would highlight the fact no secret json is required and workload identity can be used: #146 (comment)
The text was updated successfully, but these errors were encountered: