I have an appengine app that stores documents in a Google Docs account. It uses the Documents List API to communicate with Google Docs but I am now trying to migrate it to use the Drive API as the Documents List API is supposed to be shutdown on 4/20.
I would like to know if I need to grant any special permissions for my appengine app to be able to access the Drive account and read/write documents from it. i.e., do I need to add a row on this screen?
The Google Docs account under which files are stored by my current app is of the form user#xyz.com where xyz.com is a domain name that I purchased through Google and that is aliased to my appengine app. Further user#xyz.com is an owner of my appengine app.
Yes.
Delegate domain-wide authority to your service account
In the Client name field enter the service account's Client ID.
In the One or More API Scopes field enter the list of scopes that your application should be granted access to (see image below). For example if you need domain-wide access to the Google Drive API and the Google Calendar API enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar
Click the Authorize button.
Your service account now has domain-wide access to the Google Drive API for all the users of your domain, and potentially the other APIs you’ve listed such as the Calendar API in the example above. You are ready to instantiate an authorized Drive service Object on behalf of your Google Apps domain's users.
When you make the calls, you will have to impersonate the user whose account you want to access, i.e. user#xyz.com
Related
I created a service account to use Gooogle Drive API's to store and retrieve data in the Drive. I used PyDrive Package to make this process simpler. The problem is the data gets stored in the service account, is there a way to store it in my user account? The service account only offers 15GB storage space, so it would be nice to store it in my User account.
PyDrive can be used to directly same to my user account but it requires a human intervention for authorization. This is not feasible since a cron job is used to store the files.
Any answers are welcome, thanks in advance!
It is not possible to use the "user account" storage for regular accounts. In the Google documentation they mention:
"Typically, an application uses a service account when the application uses Google APIs to work with its own data rather than a user's data. For example, an application that uses Google Cloud Datastore for data persistence would use a service account to authenticate its calls to the Google Cloud Datastore API.
G Suite domain administrators can also grant service accounts domain-wide authority to access user data on behalf of users in the domain."
Exist a Gmail Rest API in order to search by the users messages of a particular domains mailboxes?
A practical example is that a backend service after authentication via OAuth can search messages in different domains mailboxes of others users.
I'm not able to find the right Google API for perform this type of research.
Someone know a solution for this ?
There is no concrete way to search across all mailboxes in a domain. You would need to enumerate the mailboxes (e.g. using the admin SDK directory API), then for each one perform the search there. Obviously, your app will need permissions to query admin SDK to get list of users in the domain and then permissions for each individual mailbox--the easiest way is to setup a service account and get it whitelisted for the entire domain for those scopes in domain cpanel. See:
https://developers.google.com/accounts/docs/OAuth2ServiceAccount#formingclaimset
For more info about how to do the auth domain-wide which can be used with the Gmail API.
Is it possible to limit my endpoints api to my organization's Google accounts?
P.D.
I do not have access to the Administrator account.
Thanks
You could protect your API method by injecting the User object. Now, when the API Method is invoked, you can check for the User object and get the Email Addresses and Authenticating Domain to perform your check and move ahead in your API Method.
Looking for the best current approach for admins of a Google Apps domain to modify the permissions of a Google Drive object owned by other users. I'll be developing the app on Google App Engine.
It was straightforward using 2 legged OAuth and the Google Documents List API: https://developers.google.com/gdata/docs/auth/oauth#2LeggedOAuth but now that Google Drive SDK is the live API, I see that service accounts are the encouraged method: Does google Drive api support 2 legged oauth? and https://developers.google.com/accounts/docs/OAuth2ServiceAccount . So I'm following an example that uses this approach and the Prediction API: https://developers.google.com/appengine/articles/prediction_service_accounts and you cannot use the GAE service account in the Team section of the API console. Get an error: "User xxx#appspot.gserviceaccount.com may not be added to project "New Proj Name". Only members from domain myappsdomain.com may be added.
So, I'm basically asking:
1) How do you use service accounts with Google Drive SDK for admin tasks like changing permissions
2) And any working GAE service account tutorials using the Drive API that work with non-domain users.
The documentation about Service Accounts and user impersonation has just been added:
https://developers.google.com/drive/service-accounts
https://developers.google.com/drive/user-impersonation
Unfortunately, App Engine Service Accounts are not supported by Google Drive yet.
In Google App Engine, you can create User objects with any email adress. These accounts will just not be conected with a google account. Is there a way to set the current user to such a user, without rolling my own session management, or using sessions from webapp2?
App Engine Users API support Google Account or OpenID identifier.
If you need something different you have to implement users management yourself (or using a third party library like webapp2.extras)