62 Config-as-code with reconciliation
The tenant's security settings are kept as desired state in a reviewed git repository — GAM batch files, Policy API JSON — and a scheduled reconciler fetches live state, diffs it against the repo, and either reports or converges. A delta git did not author is either an outage or an intruder. The reconciler runs as a service account bound to a custom role scoped to exactly the settings it manages — never Super Admin for Admin SDK work. Policy API reads are the exception: only a super administrator can use the Cloud Identity Policy API, so that portion needs a separately scoped super-admin credential.
Caveats
Setup steps
-
- One repo, reviewed PRs, tagged releases
the source of truth
- open ↗

https://admin.google.com/ac/list/roles · captured 2026-07-15
Account › Admin rolesCustom role = only the privileges under management; never Super Admin
Assign specific admin roles ↗ Create, edit, and delete custom admin roles ↗
- open ↗

https://admin.google.com/ac/owl/domainwidedelegation · captured 2026-07-15
Security › Access and data control › API controls › Manage Domain Wide DelegationDWD list: Admin SDK reconciler's client id = absent (it authenticates as itself with the role from step 2); Policy API reads use a separate super-admin DWD credential
-
Mode = report-only first; converge only after a clean dry-run streak
-
Ongoing maintenance
- automatable: script Per schedule: run the reconciler and commit the state.
- automatable: AI agent Per diff: review whether it is sanctioned change or drift.
How to verify
Run the reconciler in dry-run mode against the live tenant — zero diff means the code matches reality; any diff is either drift or an undocumented change.
v0.1.3Prevent policy #27 · #34, #32 ↗