Skip to content

What is Google Apps Manager (GAM)? Our experience in deploying GAM in a secure way

Have you heard of GAM? It is a powerful tool that allows you to govern your Google Workspace environment through a command line. This blog shares Devoteam's experience in deploying GAM in a secure way.

This article is written by Brecht Sannen, Solution Engineer Google Workspace at Devoteam G Cloud Belgium

Letting Loose Google Apps Manager (GAM) in a secure way

Have you heard of GAM? It is a very powerful tool that allows you to govern your Google Workspace environment through a command line. Companies use GAM for actions ranging from creating users to administrating mail delegations. But with great power comes great responsibility and the goal of this blogpost is to share our experience in deploying GAM in a secure way. 

What is GAM and what can you use it for?

GAM, short for Google Apps Manager, is an API wrapper for Google Workspace api’s developed by Jay0lee. It wraps the api calls in commands so that the api’s become more easy to use.This, in turn, is the reason why it is so widely used when it comes to executing administrative tasks. It even gets referenced on google support nowadays! At Devoteam Gcloud we mainly use this tool for actions such as list all shared drives, list all files that are shared externally, list all mail delegations, list all groups and their settings… 

There are multiple versions of GAM and we usually recommend to use the advanced GAMADV-XTD3 developed by Ross Scroggs as it comes with some additional features that might be needed to execute certain actions (e.g. Modify the GAL, deploy multi domain GAM,…) There is a google site about GAMADV-XTD3 that is extremely valuable when it comes to creating a script that works for you. 

Risks when using GAM

The main risk when you are using GAM is that you need a service account and an accompanying  json token to make the necessary API calls to your google workspace domain. When you create said token, this token is valid until you remove it in your GCP project. So keep your tokens somewhere secure!

Furthermore, when a call is made on behalf of a user in your domain, you cannot see that the call was made with a tool like GAM. In the audit log you will see the action you made with GAM as if the user performed said action themselves. This is why it is paramount that you know exactly who is using GAM and why. 

Secure ways to deploy & use GAM

When it comes to deploying GAM in a secure way, we recommend 2 methods : 

Run GAM on a dedicated Virtual Machine

Running GAM on a dedicated VM is one way to make sure it is only accessible by the relevant parties. If you have a GCDS (Google Cloud Directory Sync) in your environment then you can run the GAM instance on that Microsoft server. You can also set up a dedicated Linux VM to run GAM. The upside of working this way is that you can set the device to a static IP. This means that in the audit log, based on that specific static IP, you know the calls are coming from that GAM instance.

Downside with this way of working is that you need secure access to this device. If you access it through RDP, you might want to consider limiting certain IP’s from being able to connect with your server. If you access it through SSH, think about limiting the network access to the device or setting up a strong password. All in all the catch is that you are managing yet another machine for another application. 

All paranoia aside but when you run GAM on a shared VM, it might be possible that somebody took the Oauth key and used it somewhere else! That is why it is important to rotate your service account keys to make sure you revoke access to old keys. You do this by scheduling the command “gam rotate sakey” every , let’s say,  6-12 hours.  

Run GAM on cloudshell

You can put your GAM instance on Google Cloud Platform with Cloudshell. Cloudshell is an online terminal that helps you manage your infrastructure. Running GAM on cloudshell is a preferred solution as with this way of working you can assure that the GAM instance is locked behind your Google account and no extra machine patching or securing needs to happen. 

With using GAM in the cloudshell, you can keep your GAM instance just behind your google account. No additional infrastructure needed. For more information on how to install GAMADV-XTD3 on cloudshell, please check out this link.

GAM in a nutshell : 

To give you a recap and to accommodate the TLDR’s, below are the 3 topics you should keep in mind when using GAM : 

  • Use GAM to your advantage when it comes to bulk actions in your admin console.
  • Understand the risks when using GAM
  • With great power comes great responsibility, so use it securely

 

Do you want to discuss your own security project with us? 

Get in touch with

Mark De Winne

Google Cloud Business Developer at Devoteam G Cloud