I have a document (its actually a fusion table) stored in my private Google Drive.
I would like to share the document with a web application running on google app engine. I would like to enter the link to the document into the app and have it read the document using the fusion-table API.
However, I don't want ro publish the document to be visible to anyone who has the link.
Can the application access the document with its own service account.
Each App Engine app has a Service Account, like: 123456789#developer.gserviceaccount.com
If I share my document with the service account, then can the app 'read' the document?
If yes, then are there any risks to the system admin from publishing the service account's email address so users can share with the app but not anyone with the link?
Yes, you can share with the application's service account, and the application will be able to read the file.
I do not see any risk related to sharing the service account's email, but it might be a bit tedious for the user to copy/paste a complicated email into the Fusion Tables UI.
Related
I have an node.js application with a working server2server GMail API communication via an service_account.
Everything works fine.
To be able to communicate with a users account, the G Suite Admin has to grant API Acess to the Client ID of my service_account manually.
As described here:
Impersonating list of users with Google Service Account
with a Marketplace App it would be possible, to grant access only to specific organizationals units (OUs) and it would be more fancy to use (enabling a marketing place app is more user friendly than configuring API Access for ClientID and Scope manually like here:
)
Now my question: Is it possible to provide a Marketplace App only for the purpose to grant API access for my application automatically? Will it get through the review when it has no other purpose? Any other hints on this?
Yes it is a working way to create a marketplace application to grant the API access automatically when the G Suite Admin installs this application.
The only restriction is, that your actual application has to support Google SSO to make it through the review process. So the user must be able to log into your Web Application by clicking on the icon in his G Suite account. If the user has no account in your web app, an account has to be created automatically (trial-account is sufficient)
I am a bit lost on whether it is possible to create an App with Google that will be able to access Google Analytics data of a GA user who permits the app access. Note that I am not looking to access my own data, but data for a number of clients who want to utilize the app to download their Google Analytics reports. Here is what I am looking to accomplish as an end results:
User logs into website
User is asked to approve app access to GA data with a form/button
User approves the access (or gives the app a Token, not sure about the workflow)
The app queries Google Analytics data on user's behalf and shows him the report
Can this be done and how? Could one create a google app, go through the App Review process and then have a working solution to for multitude of clients/customers who can use my app to download the reports?
I have an appengine app that stores documents in a Google Docs account. It uses the Documents List API to communicate with Google Docs but I am now trying to migrate it to use the Drive API as the Documents List API is supposed to be shutdown on 4/20.
I would like to know if I need to grant any special permissions for my appengine app to be able to access the Drive account and read/write documents from it. i.e., do I need to add a row on this screen?
The Google Docs account under which files are stored by my current app is of the form user#xyz.com where xyz.com is a domain name that I purchased through Google and that is aliased to my appengine app. Further user#xyz.com is an owner of my appengine app.
Yes.
Delegate domain-wide authority to your service account
In the Client name field enter the service account's Client ID.
In the One or More API Scopes field enter the list of scopes that your application should be granted access to (see image below). For example if you need domain-wide access to the Google Drive API and the Google Calendar API enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar
Click the Authorize button.
Your service account now has domain-wide access to the Google Drive API for all the users of your domain, and potentially the other APIs you’ve listed such as the Calendar API in the example above. You are ready to instantiate an authorized Drive service Object on behalf of your Google Apps domain's users.
When you make the calls, you will have to impersonate the user whose account you want to access, i.e. user#xyz.com
I've got a google spreadsheet owned by a GAE service account and I want my GAE Python app to update a cell in one of the rows.
Based on some reading, these are my findings:
the spreadsheets service is old-school. It's a Google Data API and most Google services are now on the Google API platform. For Google API services, one can use a service account to do two-legged oauth2 access, but not for Google Data API services. Oh, it seems one can do two-legged oauth on Google Data API services, but only if the app is on a Google Apps domain (which mine isn't)
I could implement a similar effect (i.e. a user of the app can use data in my spreadsheet and doesn't need to login or authorize in any way) by using my personal account. There's a complicated way that involves me to authorize the app once, store the token and reuse it when a user uses the app. There's another way, which is to use client login (i.e. I embed my personal login and password in the code and use it to authorize the app to access the data in my spreadsheet)
This latter approach seems fairly safe as well, but of course I must be very careful that my source code will not be exposed. The authorization is between the GAE app and the Google Data Spreadsheets API, so the actual user's machine is not involved at all.
My spreadsheet is owned by the service account and shared with my personal account.
Note that my app is also using the Google Drive API (to access some personal Drive files, also shared between me and the GAE service account), so for that it will authorize using the service account.
Can someone confirm that my findings are correct and this approach is sound?
You can use gdata.spreadsheets.client (Google Data API) on the OAuth2 (Google API platform) flow.
https://github.com/HatsuneMiku/googleDriveAccess
It uses 'oauth2client-gdata-bridge'.
I am trying to take a GAE app and have it upload logging data, in CSV format, into Google Storage, and then into Big Query (via an upload job). The documentation says that the proper way to authorize a GAE app to have write permission in an API project is to add the GAE application as a team member in the API project.
However, there is a domain restriction in the API Team panel, that makes it impossible for us to add the '#appspot.gserviceaccount.com' address that the documentation says we need to. I talked with our IT department (who setup the API Project to being with) and they aren't sure how to circumvent that restriction.
I must be missing something, but how should we authorize our GAE App to push data into our API Project when we cannot add the account in this manner?
Thanks.
Create a Google group on your domain.
Add that group email address to the team editors in your Google Developers project.
Then add the Google App Engine application email address to that Group.
You might have to wait a short time before the permissions kick in.