I am trying to create a shared drive using below google api and the drives.create method.
https://www.googleapis.com/drive/v3/drives
But its giving me error as
"message": "The user does not have sufficient permissions for this file."
How can i achieve this ?
I suspect the most likely scenario is that you are using a service account to authorize your code, but you are not impersonating a Google Workspace user with domain-wide delegation.
Service accounts are basically consumer Drive accounts. They can use Drive, but they live in a space outside from your Google Workspace tenant. Only a licensed Google Workspace user can create a shared drive; service accounts can't. As a general rule, it is usually not a great idea to create Drive content as a service account.
See information about domain-wide delegation and a few code samples here: https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority
Related
I'm building a DAG that would upload files to Google Drive at the end, utilizing Airflow's GoogleDriveHook. As this is executed using a service account, I use my email as the delegate_to parameter, and enabled domain-wide delegation beforehand. Scope for the email is https://www.googleapis.com/auth/drive.file.
DAG would run just fine if the connection's scope is just that, however, since I use the same Airflow connection for other DAGs that utilizes other GCP services, I would have to use multiple scopes for that aforementioned connection.
For some reason, it would fail during upload on multiple scopes, spewing out:
google.auth.exceptions.RefreshError: ('unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.', '{\n "error": "unauthorized_client",\n "error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."\n}')
Though having multiple Airflow connections is not much of a deal-breaker, I guess at this point I'm just curious to why this happens (Airflow 1.10.9)?
I use my email as the delegate_to parameter
Did you use a gsuite domain email?
Did you set up domain wide delegation in GSuite?
Delegate to only works with Gsuite domain emails.
If you want the service account to be able to access you personal non g suite google account. Then you will need to share a directory on your persona drive account and grant the service account access to that directory like you would any other user by sharing the directory with it.
Once files are uploaded they will be owned by the service account you will then need to ensure to insert permissions for that file so that your personal account will then have access to the files.
in my account the google drive api is disabled but still when I authenticate a thirdparty app using oauth2.0 it can access my drive files. Then what is the use of this enable api.
Cloud developer console is a place for developers to create applications. when you create a new application you must decide which APIs will be used by that application.
I authenticate a third party app using oauth2.0 it can access my drive files
Unless you are the developer of the third party application setting this will not have any effect on what applications created by other developers can do with your account. If you dont want them accessing your drive account then dont install any third party applications that request permission to access your drive account.
I am working on a application that is using google service account with domain wide delegation.
I don't want client to do setting of domain wide delegation and download private key. I could create private key using IAM api.
is there a way to achieve domain wide delegation also via API ?
Thanks
Google's IAM API is part of their Google Cloud API's. As far as I'm aware, there is no equivalent API for standard Google developer project IAM, which is where you would do anything around projects targeting G Suite API's (and the only place where there is a Domain Wide Delegation setting for a service account, AFAIK).
You can grant a service account permission at the Organization level in Google Cloud, but I'm not sure whether that has any effect on the GSuite access controls, as nferrell mentions.
I have a Google Marketplace app that uses a service account for access user's drive account. It requires domain wide grants,
As per the doc here:
https://developers.google.com/+/domains/authentication/delegation
"""
If the service account is listed as an app on the Google Apps Marketplace, then domain-wide access to user data is granted during the installation of that app.
"""
However I cannot find a way to specify the service account id in my app, how do I make sure that the service account is indeed granted privileges when the admin installs the app
You just need to use service account when authenticating & authorizing your app to access Drive API.
https://developers.google.com/drive/web/service-accounts explains the process pretty well along with a sample.
Using a server application with C#, how is it supposed to work when accessing users in the same domain if the authentication is only possible using:
OAuth2Authenticator interface?
I'm able to access the admin of the domain's Drive, but I'm missing the 3 legged OAuth in 2.0.
Looking at this description found at this link: https://developers.google.com/drive/delegation
Since this is not executed as a Service, and is not using Google Apps and cannot then
access: https://www.google.com/a/cpanel/mydomain
Also the IP is not known from where the machine running the server-application.
Currently I'm using: "Client ID for installed applications", and it works. But what I need is to also store files in other users in the same domain.
A other solution that works temporarily is to first store them at the admin domain account and then move them to the user domain account. But this removes the possibility to direct it to a parent/folder at the end user's drive. It will always be stored in root for that end user.
Basically what I want is following:
A Server application is running on a local machine (admin domain account can be used)
The application upload files to different users that are in the same domain, but with their own email address and also then have their own Drive.
Yes, you can do that through 2 legged oauth, which can provide domain-wide authorization.
Here are some links for your reference:
https://developers.google.com/gdata/docs/auth/oauth#2LeggedOAuth
http://support.google.com/a/bin/answer.py?hl=en&answer=2538798