I am a bit lost on whether it is possible to create an App with Google that will be able to access Google Analytics data of a GA user who permits the app access. Note that I am not looking to access my own data, but data for a number of clients who want to utilize the app to download their Google Analytics reports. Here is what I am looking to accomplish as an end results:
User logs into website
User is asked to approve app access to GA data with a form/button
User approves the access (or gives the app a Token, not sure about the workflow)
The app queries Google Analytics data on user's behalf and shows him the report
Can this be done and how? Could one create a google app, go through the App Review process and then have a working solution to for multitude of clients/customers who can use my app to download the reports?
Related
I am working on creating 2 app services in Azure. 1 web app and 1 web api.
My goal is to sign in users to their personal or Office 365 school or work account, and let the api access their personal account data, like the calendar.
However, it's the web app that signs in the users because I need a web site (GUI) to let them do that. The web app will display a sign in prompt, letting users sign in.
How can I then let the web api (a different app service) get access to their personal data when it's the web app that signs them in?
My plan was to sign them in through the web app, and then share the access token with the api which resides in a different app service. In that way I figured the api would have access. I hope this work, but I started thinking the api might not get access if the token is made only to let the web app (site) get access.
Is it possible to prompt the users to consent to 2 different app services getting access to their data?
Your scenario seems like web application signing in users, calling a Web API with the user's identity.
You can refer to this document for the detailed steps.
I would like to have an app deployed in App Engine to display information which are stored in BigQuery or Cloud Storage, but only if the user is authenticated in the webapp AND its permissions as set in IAM allow it.
So far, I can authenticate a user in App Engine through "Google Sign-In" as seen in https://cloud.google.com/appengine/docs/standard/python/oauth/, but those credentials don't seem to relate to those that are set in Cloud IAM.
I've seen how to set credentials for App Engine as a whole though a service account, but that seems to wide.
What I really want is to authenticate users on the web app, and then let IAM decide if those users are allowed to access data or not.
How would you proceed to do that?
Thanks for any help
The authenticating as an end user GCP documentation explains how to limit access to the project's resources using Cloud IAM. It also has a short example about authenticating an end user to call the BigQuery API.
I have a document (its actually a fusion table) stored in my private Google Drive.
I would like to share the document with a web application running on google app engine. I would like to enter the link to the document into the app and have it read the document using the fusion-table API.
However, I don't want ro publish the document to be visible to anyone who has the link.
Can the application access the document with its own service account.
Each App Engine app has a Service Account, like: 123456789#developer.gserviceaccount.com
If I share my document with the service account, then can the app 'read' the document?
If yes, then are there any risks to the system admin from publishing the service account's email address so users can share with the app but not anyone with the link?
Yes, you can share with the application's service account, and the application will be able to read the file.
I do not see any risk related to sharing the service account's email, but it might be a bit tedious for the user to copy/paste a complicated email into the Fusion Tables UI.
I've got a google spreadsheet owned by a GAE service account and I want my GAE Python app to update a cell in one of the rows.
Based on some reading, these are my findings:
the spreadsheets service is old-school. It's a Google Data API and most Google services are now on the Google API platform. For Google API services, one can use a service account to do two-legged oauth2 access, but not for Google Data API services. Oh, it seems one can do two-legged oauth on Google Data API services, but only if the app is on a Google Apps domain (which mine isn't)
I could implement a similar effect (i.e. a user of the app can use data in my spreadsheet and doesn't need to login or authorize in any way) by using my personal account. There's a complicated way that involves me to authorize the app once, store the token and reuse it when a user uses the app. There's another way, which is to use client login (i.e. I embed my personal login and password in the code and use it to authorize the app to access the data in my spreadsheet)
This latter approach seems fairly safe as well, but of course I must be very careful that my source code will not be exposed. The authorization is between the GAE app and the Google Data Spreadsheets API, so the actual user's machine is not involved at all.
My spreadsheet is owned by the service account and shared with my personal account.
Note that my app is also using the Google Drive API (to access some personal Drive files, also shared between me and the GAE service account), so for that it will authorize using the service account.
Can someone confirm that my findings are correct and this approach is sound?
You can use gdata.spreadsheets.client (Google Data API) on the OAuth2 (Google API platform) flow.
https://github.com/HatsuneMiku/googleDriveAccess
It uses 'oauth2client-gdata-bridge'.
I am trying to take a GAE app and have it upload logging data, in CSV format, into Google Storage, and then into Big Query (via an upload job). The documentation says that the proper way to authorize a GAE app to have write permission in an API project is to add the GAE application as a team member in the API project.
However, there is a domain restriction in the API Team panel, that makes it impossible for us to add the '#appspot.gserviceaccount.com' address that the documentation says we need to. I talked with our IT department (who setup the API Project to being with) and they aren't sure how to circumvent that restriction.
I must be missing something, but how should we authorize our GAE App to push data into our API Project when we cannot add the account in this manner?
Thanks.
Create a Google group on your domain.
Add that group email address to the team editors in your Google Developers project.
Then add the Google App Engine application email address to that Group.
You might have to wait a short time before the permissions kick in.