GCDS - Using a Google Service account instead of standard account

Justin_W — Thu, 04 Sep 2025 20:38:36 GMT

Greetings all,

Per Google's upcoming change to force 2SV on all admin accounts, we're looking to clean up some of our older admin accounts.

One is related to our GCDS tool. I've followed instructions on creating a Google Service account and I think I've done that right, but I can't seem to figure out how to configure the GCDS application itself to use the new service account.

Gemini keeps telling me over and over to click on/find the "Use service account" or "Upload JSON file" option within the Google Domain Configuration tab of the GCDS application (currently running v5.0.39). However, no such options appears anywhere.

The ONLY option is the standard "Authorize Now" button, which uses OAuth and opens the Chrome browser and skips any way to use the service account instead.

What am I missing? How are you handling having 2FA on accounts like these? ("service" or "shared" accounts)??

I've got a handful of other 'service' accounts that will likely be problematic if forced to use 2SV/2FA.

How about enrolling new Chromebooks? If you're automating that process, there's likely an admin account involved. Asking for 2SV for each enrollment is a big problem (and we're only a small school, so I can't imagine what a large district would do)

Re: GCDS - Using a Google Service account instead of standard account

Josh — Sun, 07 Sep 2025 22:31:28 GMT

@Justin_W wrote:
The ONLY option is the standard "Authorize Now" button, which uses OAuth and opens the Chrome browser and skips any way to use the service account instead.

That is a good question! I just had a quick look at the docs and looks GCDS only supports authentication via OAuth tokens.

To be honest that doesn't surprise me because authenticating via OAuth token is generally simpler for end users and more secure opposed to authenticating via JSON or P12 keys.

Concerning 2FA on accounts used with GCDS and other services. You are only prompted for 2FA when the account is authorized and a new OAuth token is generated. This is generally when you setup GCDS for the first time, or if authorization needs to be re-completed for some reason. (Eg, the account password was changed and the existing tokens were automatically revoked).

When GCDS automatically renews and existing token 2FA is now required to be completed.

Overall the 2FA requirement does not really change things much in regards to GCDS. It will continue as normal once you authorize the account and complete 2FA for the initial setup.

@Justin_W wrote:
What am I missing? How are you handling having 2FA on accounts like these? ("service" or "shared" accounts)??

Using standard user accounts is fine but I recommend that they be dedicated to specific services only and not used for daily or other interactive usage.

What I mean by that is to have one or more accounts dedicated to just running these administrative services. They should not be used interactively by anyone (eg, accessing the admin console) as doing so increases the risk of compromising the account credentials and/or invalidating the generated OAuth tokens.

In regards to 2FA on the account, you can setup whichever ver method works best for you and your team. Be mindful though that the method needs to be accessible if you were to become unavailable. You might be sick or get a job elsewhere and forget to update it. I recommend a USB security key that can be kept secure in your office somewhere.

@Justin_W wrote:
How about enrolling new Chromebooks? If you're automating that process, there's likely an admin account involved. Asking for 2SV for each enrollment is a big problem (and we're only a small school, so I can't imagine what a large district would do)

When it comes to enrolling Chromebooks I strongly encourage purchasing the devices with Zero Touch Enrolment. It is a game changer compared to rubber ducky/Go-Box methods. ZTE does not require any logins on the device for it to be enrolled, it is automatic as soon as it connects to the internet for the first time. If unboxing the devices yourself, I recommend using USB Ethernet adapters to get them online.

Process with ZTE is roughly:

Provide ZTE token to vendor
Vendor enrolls the devices
Unbox the devices
Power on and connect USB ethernet
push enter at the initial welcome screen
Device automatically enrolls

Steps 4-6 take about ~30-60 seconds per device.

If using Go-Box/Rubber Ducky or bulk manual enrolment, create a seperate account with no admin privileges then use that for completing the enrolments. Reduces the risk of credentials being leaked, and more importantly will avoid the 2FA prompts.

Obviously one off enrolments, aren't going to be a big issue if you need to complete 2FA occasionally but in bulk it is about trying to work smarter, not harder.

topic Re: GCDS - Using a Google Service account instead of standard account in Peer-Peer Topics

GCDS - Using a Google Service account instead of standard account

Re: GCDS - Using a Google Service account instead of standard account