from google website:
Delegating domain-wide authority to the service account
If your application accesses user data, the service account that you created needs to be granted access to the Google Apps domain’s user data that you want to access.
The following steps must be performed by an administrator of the Google Apps domain:
Go to your Google Apps domain’s Admin console.
Select Security from the list of controls.
If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls. If you can't see the controls, make sure you're signed in as an administrator for the domain.
Select Show more and then Advanced settings from the list of options.
Select Manage API client access in the Authentication section.
In the Client Name field enter the service account's Client ID.
Question: what is this equal to? I am using service account that comes with google appengine, not a manually created service account
In the One or More API Scopes field enter the list of scopes that your application should be granted access to. For example, if your application needs domain-wide access to the Google Drive API and the Google Calendar API, enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar.
Click Authorize.
Answer for 2019
(Just figured this out myself, so I hope this is accurate. )
Go to Google APIs, then under the Service Accounts section, click on the service account you wish to get the ID from and open its properties.
(image) Step 1: Google APIs > Service Accounts
Afterwards, click the View domain wide delegation ID . This will open a popup sidebar with displaying the ID.
(image) Step 2: Delegation ID
You cannot have a Client ID related to an App Engine application, You need to create a Credential from the related page.
Go to https://cloud.google.com/console and select your project.
Go to the section APIs & Auth and the Credentials.
Or you can go directly from this url
https://console.developers.google.com/project/{your project name}/apiui/credential
Select Create new Client ID
and then select Service Account as Application type
You have now a Client ID to configure in ther Apps Dashboard
From looking at the credential file I downloaded when creating my service account, looks like the 'client id' may be the same as the 'unique id' of the service account. thanks, google :(.
Related
I'm trying to use the googleapiclient Python SDK to create a domain mapping for my App Engine app. I'm using the "App Engine default service account" to authenticate, which works (I can get the list of domain mappings). However, when I try to create a mapping, I get the following error:
Caller is not authorized to administer the domain 'abc.[mydomain]'. If you own 'abc.[mydomain]', you can obtain authorization by verifying ownership of the domain, or any of its parent domains, via the Webmaster Central portal: https://www.google.com/webmasters/verification/verification?domain=abc.[mydomain]. We recommend verifying ownership of the largest scope you wish to use with subdomains (eg. verify 'example.com' if you wish to map 'subdomain.example.com').
The same call works in the API Explorer without any issues.
I tried giving the service account the Owner role in the IAM console, to no avail.
(I haven't tried running it from within App Engine; presumably that works, but I'd really like to be able to test this part of my app locally.)
Thanks to John Hanley for pointing me in the right direction.
Go to the Google Search Console and sign in
Navigate to "Settings" (towards the bottom of the menu)
Select "Users and Permissions"
Click the "more" (three vertical dots) button next to your email address, then "Manage property owners"
Choose your domain from the list
Click "Add an owner" at the bottom of the page
I need a third-party to upload some files to a Google Cloud Storage bucket. What is the best (or easiest) way to give them access?
The first two methods require that the user have a valid Google Account. I am ignoring Google Identity Platform in this answer. If the user has a Gmail Account, then this means they also have a Google Account. The third method uses a Google Service Account.
Method 1: Use the Google Cloud Storage Console:
Go to Storage -> Browser.
Check the desired bucket. In the right side panel under permissions, click the Add button.
Add the user's Google Account email address. Select Storage Object Creator.
The role granted is roles/storage.objectCreator. This role grants the user permissions to create objects in the bucket but the user cannot delete or overwrite objects.
Link to Cloud Storage Roles
Method 2: Use the gsutl CLI:
gsutil iam ch user:username#example.com:ObjectCreator gs://examplebucket
Link to gcloud IAM
Command to read the current bucket IAM policy:
gsutil iam get gs://examplebucket
Method 3: Use a Google Service Account
Create a Google Service Account in the Google Cloud Console
Go to IAM & admin -> Service accounts
Click CREATE SERVICE ACCOUNT
Enter a Service account name and Service account description
Click CREATE
In the next screen Service account permissions, select a role.
Select Storage -> Storage Object Creator
Click CONTINUE
Click Create key
Check the JSON radio button for the Key type
Save the json file to your local computer.
You now have Google Service Account credentials that can be setup with gsutil, gcloud and software programs.
Setting up gcloud with Service Account Credentials
The way you grant access to your third-party Customers to upload files to a Google Cloud Storage bucket would differ from one programming language to another. In PHP, you would write something like:
$options = ['gs_bucket_name' => $my_bucket];
$upload_url = CloudStorageTools::createUploadUrl('/upload/handler', $options);
and get an upload URL as a result. You may find more detail on this solution in the "Allowing Users to Upload Files" online document.
I have an node.js application with a working server2server GMail API communication via an service_account.
Everything works fine.
To be able to communicate with a users account, the G Suite Admin has to grant API Acess to the Client ID of my service_account manually.
As described here:
Impersonating list of users with Google Service Account
with a Marketplace App it would be possible, to grant access only to specific organizationals units (OUs) and it would be more fancy to use (enabling a marketing place app is more user friendly than configuring API Access for ClientID and Scope manually like here:
)
Now my question: Is it possible to provide a Marketplace App only for the purpose to grant API access for my application automatically? Will it get through the review when it has no other purpose? Any other hints on this?
Yes it is a working way to create a marketplace application to grant the API access automatically when the G Suite Admin installs this application.
The only restriction is, that your actual application has to support Google SSO to make it through the review process. So the user must be able to log into your Web Application by clicking on the icon in his G Suite account. If the user has no account in your web app, an account has to be created automatically (trial-account is sufficient)
I have an appengine app that stores documents in a Google Docs account. It uses the Documents List API to communicate with Google Docs but I am now trying to migrate it to use the Drive API as the Documents List API is supposed to be shutdown on 4/20.
I would like to know if I need to grant any special permissions for my appengine app to be able to access the Drive account and read/write documents from it. i.e., do I need to add a row on this screen?
The Google Docs account under which files are stored by my current app is of the form user#xyz.com where xyz.com is a domain name that I purchased through Google and that is aliased to my appengine app. Further user#xyz.com is an owner of my appengine app.
Yes.
Delegate domain-wide authority to your service account
In the Client name field enter the service account's Client ID.
In the One or More API Scopes field enter the list of scopes that your application should be granted access to (see image below). For example if you need domain-wide access to the Google Drive API and the Google Calendar API enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar
Click the Authorize button.
Your service account now has domain-wide access to the Google Drive API for all the users of your domain, and potentially the other APIs you’ve listed such as the Calendar API in the example above. You are ready to instantiate an authorized Drive service Object on behalf of your Google Apps domain's users.
When you make the calls, you will have to impersonate the user whose account you want to access, i.e. user#xyz.com
I've set up an AppEngine account using Google Apps Authentication and I've resigned myself to the fact that it can't be changed. But can you switch the domain that it's bound to?
UPDATE
Forgot one point. We've already added users from the new domain as AppEngine administrators and we're able to log into the AppEngine console with them. But there are certain URLs in the app itself (e.g. cron jobs/task queues) that we've restricted to access by admins only. When we try to access them, we are directed to the domain-specific AppEngine page (i.e. http://appengine.google.com/a/myolddomain.com) to log in. When I update the URL to the new domain, I can log in but then I get a page saying "The page is requesting permission to access your Google account. Select an account you would like to use." And there are no options in the list to select. I can click Continue but then I'm redirected back to the login page for the old domain again.
No. If you created an app with Google Apps authentication, it is tied to that domain to authenticate against forever. This only matters if you're using the Users API, of course.
Yes you can switch to another domain. App Engine is a service in your apps domain. Because it is a service, I think you can add the same appspot service to multiple apps domains.