feat: Add IAM OAuth scope to appsscript.json

[PierrickVoulet]

No description provided.

[gemini-code-assist]

Summary of Changes

Hello @PierrickVoulet, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request integrates the Google Cloud IAM OAuth scope into the application's manifest. This change is fundamental for enabling the AI agent to perform operations that require managing identities and access permissions within Google Cloud, thereby expanding its functional capabilities related to resource access control.

Highlights

• IAM OAuth Scope Added: The https://www.googleapis.com/auth/iam OAuth scope has been added to the appsscript.json configuration file. This grants the application the necessary permissions to interact with Google Cloud Identity and Access Management (IAM) services.

Changelog

• apps-script/chat/a2ui-useraction-ai-agent/appsscript.json
  • Added the https://www.googleapis.com/auth/iam OAuth scope to the oauthScopes array.

Activity

• No specific activity (comments, reviews, or progress updates) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds the https://www.googleapis.com/auth/iam OAuth scope to the application manifest to enable service account impersonation. While this is necessary for that feature, this scope is very broad and grants significant permissions. My review highlights the security concern of requesting this scope from all users, especially since the application also supports an alternative authentication method that doesn't require it. This violates the principle of least privilege. I have recommended either committing to a single authentication method or clearly documenting the security implications for administrators.

[gemini-code-assist]

The https://www.googleapis.com/auth/iam scope grants broad permissions to view and manage all of a user's Google Cloud IAM resources. Following the principle of least privilege, such a powerful scope should only be requested when strictly necessary.

The script in Credentials.gs supports two authentication methods:

1. Service account impersonation (which requires this iam scope).
2. Using a service account key (which does not require this scope).

By including this scope in the manifest, all users of the add-on will be prompted to grant this powerful permission, even if their configuration uses the service account key method. This leads to an over-provisioning of permissions for those users and increases the potential security risk.

To mitigate this, consider one of the following approaches:

• Support only one authentication method (e.g., service account impersonation) to ensure the requested scope is always required.
• If both methods must be supported, clearly document for administrators that this permission is only needed for the impersonation flow, and explain the security implications. This allows them to make an informed decision.