QUESTION

When configuring Google Workspace log ingestion in Panther using Workload Identity Federation (WIF), why is an admin user email address still required in Step 8? Does WIF not eliminate the need for user impersonation?

ANSWER

What WIF solves: how Panther authenticates to Google Cloud

Without WIF, you would need to generate a GCP Service Account key (a JSON file), a long-lived secret that must be stored, rotated, and protected from leaks. With WIF, Panther uses its AWS IAM credentials via federated identity instead. No key files are needed, credentials rotate automatically, and there are no secrets to manage.

What WIF does not solve: how the Service Account accesses Google Workspace data

Google Workspace APIs (Admin SDK, Reports API, Directory API) are designed so that a Service Account can never directly access organization data. The Service Account must always act on behalf of a specific user, this is Domain-Wide Delegation (DWD). This requirement exists regardless of whether you use WIF or a key file, and cannot be bypassed Google documentation).

The admin user email in Step 8 simply tells Panther which Workspace user to impersonate when making API calls. It does not introduce a new secret or credential, no password is involved.

Recommendation: use a dedicated service admin account

Rather than impersonating a personal super admin account, create a dedicated service user (e.g. panther-integration@yourdomain.com) and assign to it only the minimum required admin roles with the following privileges:

• Reports privilege for reading audit logs

• Users > Read privilege for user directory enrichment

• Vault > Access All logs privilege, if using the Vault Google Workspace app

This keeps permissions minimal, avoids involving personal accounts, and provides a clear audit trail of Panther's access. These roles can be assigned in the Google Admin console under Admin roles.

For full setup instructions, see Panther's Google Workspace documentation.