I just received an email from Google about changes to service accounts.
My interpretation is that new service accounts made after 15 April 2025 will no longer be able to own drive items. Old service accounts will be unaffected.
This means that new service accounts
- don't get their 15 GB of storage (as they can't own any items)
- can't upload to a my drive unless you are using the
--drive-impersonateflag (as all things in a my drive have to be owned by someone) - can upload to a shared drive (as everything in the shared drive belongs to the shared drive)
I think that this likely won't affect rclone users much but I'm not sure. Do many people use service accounts to upload to a my drive?
Here is the email in full (without links as they were all tracking links!)
Subject: [Action Advised] Review the creation of new Google Cloud IAM service accounts using Workspace Storage
Hello Google Cloud customer,
We're writing to inform you about upcoming changes to how Google Cloud Identity and Access Management (IAM) service accounts interact with Google Workspace Storage. You are receiving this message because your organization may have used these accounts with Workspace APIs or Workspace Storage.
Previously, Google Cloud IAM service accounts had access to 15 GB of Google Workspace Storage. However, because they aren't directly managed by administrators, any new service accounts created after April 15, 2025, won't receive this storage. Existing service accounts created before this date will retain their storage.
We’ve provided additional information below to guide you through this change.
What you need to know
Starting April 15, 2025 for new Service Accounts:
New service accounts will not be able to own any Drive items.
At this time, Google Workspace will maintain access to the My Drive of pre-existing service accounts to allow customers to keep existing internal workflows and services that rely on this storage without needing to migrate to other methods for automatic item creation.
Note: Items directly owned by service accounts do not adhere to the Google Workspace admin settings and policies since service accounts are not managed users within your Google Workspace domain.
What you need to do
We recommend that you migrate workflows and services using the Drive storage of existing service accounts for governance and security purposes.
To be able to upload items to Drive with service accounts created after April 15, 2025:
- Upload items to Shared Drives
- Set up OAuth consent to upload items on behalf of a human user
- Use impersonation via domain wide delegation
We’re here to help
We understand that making this change may require some planning. If you have any questions or require assistance navigating this change, please feel free to contact Google Workspace support or review the Workspace Help Center.
Thanks for choosing Google Cloud.