Context
Hermes’ production documentation currently recommends using a Google Workspace Service Account with Domain-Wide Delegation (DWD) for Drive, Docs, Gmail, and Directory operations.
This approach enables full “as-user” attribution for API-driven actions but also grants the service account the ability to impersonate any user in the domain for the approved scopes.
For some deployments, DWD introduces security and compliance concerns because it significantly increases the blast radius if the service account credentials are compromised.
Problem
There is currently no documented or supported way to run Hermes in production using a service account without Domain-Wide Delegation while still leveraging Google Drive as the storage backend.
Organizations seeking a more restrictive security posture may prefer to scope a service account’s access to a single Shared Drive instead of the entire domain.
Potential Feature
Introduce support for running Hermes with:
-
A service account that does not use Domain-Wide Delegation.
-
The service account was added as a member of a specific Shared Drive that contains the Shortcuts, All Documents, and Drafts folders.
-
Drive API calls updated to be Shared Drive–aware by including:
supportsAllDrives=trueincludeItemsFromAllDrives=true (for list/search)corpora=drive and driveId=<configured_drive_id> (for list/search and create)
This would allow Hermes to operate within a confined scope while preserving existing workflows, with the trade-off that API actions would be attributed to the service account rather than the individual user.
Questions for Maintainers
- Would support for a “Service Account without DWD” mode be acceptable as an optional configuration in Hermes?
- Are there any known workflows or features that require impersonation (
subject) for correctness?
- Would it make sense to make this the default behavior when no
subject is provided in the google_workspace configuration?
Context
Hermes’ production documentation currently recommends using a Google Workspace Service Account with Domain-Wide Delegation (DWD) for Drive, Docs, Gmail, and Directory operations.
This approach enables full “as-user” attribution for API-driven actions but also grants the service account the ability to impersonate any user in the domain for the approved scopes.
For some deployments, DWD introduces security and compliance concerns because it significantly increases the blast radius if the service account credentials are compromised.
Problem
There is currently no documented or supported way to run Hermes in production using a service account without Domain-Wide Delegation while still leveraging Google Drive as the storage backend.
Organizations seeking a more restrictive security posture may prefer to scope a service account’s access to a single Shared Drive instead of the entire domain.
Potential Feature
Introduce support for running Hermes with:
A service account that does not use Domain-Wide Delegation.
The service account was added as a member of a specific Shared Drive that contains the
Shortcuts,All Documents, andDraftsfolders.Drive API calls updated to be Shared Drive–aware by including:
supportsAllDrives=trueincludeItemsFromAllDrives=true(for list/search)corpora=driveanddriveId=<configured_drive_id>(for list/search and create)This would allow Hermes to operate within a confined scope while preserving existing workflows, with the trade-off that API actions would be attributed to the service account rather than the individual user.
Questions for Maintainers
subject) for correctness?subjectis provided in thegoogle_workspaceconfiguration?