无法使用服务帐户查看 gSuite 文件
Unable to see gSuite Files with service account
问题: 我已经创建了一个服务帐户来与我的组织的 Google 驱动器和电子表格文件进行交互 - 我能够成功地创建到 google 驱动 API。但是,我唯一可以访问的文件是这个样板文件:
=> [#< GoogleDrive::File id="aSdsefooovjTnulaRlclbarrr" title="Getting started">]
您认为我缺少什么级别的权限?
我唯一的想法是,还有一些其他顶级权限从组织外部隐藏文件。即使服务帐户在文件上明确共享?如果有任何迹象,当我与服务帐户共享时它确实会这样说。
可能与此文档中的以下图片有关?
https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
我已经完成的步骤..
1) I created a Service account with Domain wide delegation, and project edit status.
2) I have invited that service accounts email to the sheets I want it to have API access to
3) I had a gSuite admin of my org has added this Service Account's client_id to the / Security / Manage API Client Access.. with the scopes -> https://www.googleapis.com/auth/drive, https://spreadsheets.google.com/feeds
已经尝试了我在所有文档/教程中可以找到的所有组合。这是我的连接代码,基于 https://www.twilio.com/blog/2017/03/google-spreadsheets-ruby.html。尝试传递 client_secret.json 中的范围。尝试使用服务帐户的 iam 角色工具。
session = GoogleDrive::Session.from_service_account_key("client_secret.json")
{
"type": "service_account",
"project_id": "gdrive-1231233",
"private_key_id": "food87c0bar16da9bfoooooo677bar",
"private_key": "-----BEGIN PRIVATE KEY-----\nsssEIEvQfooobarrrytyeho=\n-----END PRIVATE KEY-----\n",
"client_email": "servicebot@gdrive-foobar.iam.gserviceaccount.com",
"client_id": "foo40990211bar",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_foox_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_foox_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/servicebot%40gdrive-foobar.iam.gserviceaccount.com"
}
#<GoogleDrive::Session:0v3fc6c3e25061>
结果证明我可以用来查找显式电子表格的唯一方法是 spreadsheet_by_url -- .files .spreadsheets .find_by_guid 等.. 全部返回 nil。但通过 url 搜索直接返回的文件并允许我读/写。
session = GoogleDrive::Session.from_service_account_key("client_secret.json")
session.spreadsheet_by_url(ENV['GOOGLE_DATA_DUMP_URL'])
worksheet = spreadsheet.worksheets[0]
问题: 我已经创建了一个服务帐户来与我的组织的 Google 驱动器和电子表格文件进行交互 - 我能够成功地创建到 google 驱动 API。但是,我唯一可以访问的文件是这个样板文件:
=> [#< GoogleDrive::File id="aSdsefooovjTnulaRlclbarrr" title="Getting started">]
您认为我缺少什么级别的权限?
我唯一的想法是,还有一些其他顶级权限从组织外部隐藏文件。即使服务帐户在文件上明确共享?如果有任何迹象,当我与服务帐户共享时它确实会这样说。
可能与此文档中的以下图片有关?
https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
我已经完成的步骤..
1) I created a Service account with Domain wide delegation, and project edit status.
2) I have invited that service accounts email to the sheets I want it to have API access to
3) I had a gSuite admin of my org has added this Service Account's client_id to the / Security / Manage API Client Access.. with the scopes -> https://www.googleapis.com/auth/drive, https://spreadsheets.google.com/feeds
已经尝试了我在所有文档/教程中可以找到的所有组合。这是我的连接代码,基于 https://www.twilio.com/blog/2017/03/google-spreadsheets-ruby.html。尝试传递 client_secret.json 中的范围。尝试使用服务帐户的 iam 角色工具。
session = GoogleDrive::Session.from_service_account_key("client_secret.json")
{
"type": "service_account",
"project_id": "gdrive-1231233",
"private_key_id": "food87c0bar16da9bfoooooo677bar",
"private_key": "-----BEGIN PRIVATE KEY-----\nsssEIEvQfooobarrrytyeho=\n-----END PRIVATE KEY-----\n",
"client_email": "servicebot@gdrive-foobar.iam.gserviceaccount.com",
"client_id": "foo40990211bar",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_foox_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_foox_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/servicebot%40gdrive-foobar.iam.gserviceaccount.com"
}
#<GoogleDrive::Session:0v3fc6c3e25061>
结果证明我可以用来查找显式电子表格的唯一方法是 spreadsheet_by_url -- .files .spreadsheets .find_by_guid 等.. 全部返回 nil。但通过 url 搜索直接返回的文件并允许我读/写。
session = GoogleDrive::Session.from_service_account_key("client_secret.json")
session.spreadsheet_by_url(ENV['GOOGLE_DATA_DUMP_URL'])
worksheet = spreadsheet.worksheets[0]