This question came up for me this morning with our Security Operations team. The context is GCP, but Groups transcend Workspace so I came over here to ask for opinions as well.
SecOps gave me an example of an existing group with a bunch of service account members. When I inspected the GCP role assignments of these members I noticed they were almost the same; a couple service account had different roles. To me a group is a collection of things meant to be managed in the same way.
At a minimum, my view is that groups should be homogeneous: all user accounts or all service accounts. Moreover I can be easily convinced service accounts ought to be banned from groups altogether in a cloud application environment despite Google’s allowing it: https://workspaceupdates.googleblog.com/2020/08/service-accounts-in-google-groups-beta.html
What’s your take?
Previously, you had to use domain-wide delegation and admin impersonation to provide service accounts with sufficient data access. This was a cumbersome process, which could result in overly broad privileges for the service account and audit logs that were hard to interpret.
However, Service accounts can now have direct access to Groups APIs without needing domain-wide delegation and admin impersonation. This means you can:
Hope it helps.
The answer is somewhere between yes and no.
Yes they should be part if you exclusively use groups to manage access to GCP. Thus service accounts that need access to GCP resources need to be part of groups.
No they should not be in distribution lists or other non-targeted groups.
As you said, service accounts are usually used for machine to machine interactions, think of them as a robot in your kitchen which can assist you in getting a few things done.
Now whether you need them as a part of your family (or group) really depends on your requirements.
An example of such requirement may be, you offer a training service which can be accessed by anyone who is part of your "subscribers" group, now you have another portal where your customers purchase your services, to give them automated access, you may leverage service account which can programmatically manage your "subscribers" group instead of asking a owner/manager of that group to do it manually.
Of course, I would start with no service account in the group, only add them if required, and also follow best practices such as regular auditing to ensure least Priveleges.
I would also recommend labeling your groups for easy classification https://workspaceupdates.googleblog.com/2020/09/security-groups-beta.html?m=1
I personally do not like having service accounts in groups at all. I understand why Google opened up the capability, but it’s dangerous.
I won't comment on your liking/disliking, but service accounts can NOT do something by themselves unless you have intentionally made a program which leverages them in some way.
Of course! My original question had to do with the hygiene of whether they ought to be members of groups.