Looking for the best current approach for admins of a Google Apps domain to modify the permissions of a Google Drive object owned by other users. I'll be developing the app on Google App Engine.
It was straightforward using 2 legged OAuth and the Google Documents List API: https://developers.google.com/gdata/docs/auth/oauth#2LeggedOAuth but now that Google Drive SDK is the live API, I see that service accounts are the encouraged method: Does google Drive api support 2 legged oauth? and https://developers.google.com/accounts/docs/OAuth2ServiceAccount . So I'm following an example that uses this approach and the Prediction API: https://developers.google.com/appengine/articles/prediction_service_accounts and you cannot use the GAE service account in the Team section of the API console. Get an error: "User xxx#appspot.gserviceaccount.com may not be added to project "New Proj Name". Only members from domain myappsdomain.com may be added.
So, I'm basically asking:
1) How do you use service accounts with Google Drive SDK for admin tasks like changing permissions
2) And any working GAE service account tutorials using the Drive API that work with non-domain users.
The documentation about Service Accounts and user impersonation has just been added:
https://developers.google.com/drive/service-accounts
https://developers.google.com/drive/user-impersonation
Unfortunately, App Engine Service Accounts are not supported by Google Drive yet.
Related
I have an app running on google cloud platform. I have access to lists of people (in my organisation) through Cloud IAM. I only want my app engine app to be accessible to some of these lists with them having to log on with their Google Account before being allowed in to the site (is this how Cloud IAM permissions work or is this single service sign-on?).
What kind of rules or roles do I need to set just to allow groups or lists to see and use an application?
In cloud IAM i see these potential roles related to app engine.
The 'App Engine Viewer' role has this description: "Ability to view App Engine app status.". Is this what I want?
You need to use Cloud IAP to limit users authentication to your AppEngine application.
Roles you mentioned (as AppEngine Viewer...) permits you to limit administration rights on your app: to only publish a new version, or only browse informations about your app deployment.
You can start easily with IAP with this good and official tutorial.
I read this page: https://cloud.google.com/appengine/docs/ssl
What I'm wondering: When you create a Google Apps for Work account to get a certificate, does the same user need to 'own' the Google Cloud Platform account where the appengine is running?
And who should be the 'owner' of Cloud DNS?
In many cases, the programmer is not part of the company, so he doesn't have a google apps user account. Or is sharing access of the Cloud Platform enough to get SSL.
Regards, Peter
Note: GAE SSL on custom domains is about to break free of Google Apps, which may significantly change the context for your question and answer(s). See https://support.google.com/a/answer/2644334:
Currently the Google Apps SSL configs only map certificates to the custom domain URLs, regardless of those URLs being served by GAE apps or not, so app ownership identity shouldn't matter. But this needs to be done by a Google Apps Admin.
For now Google Apps Admins can still map custom domain URLs to GAE apps (unclear if they need to own the apps, the above note suggest they might not need to) - which will change after the migration to the Developer Console.
Both the Google Apps Admin or the GAE app owner can perform the app mapping to a custom domain URL (via the Apps Admin console or the Developer Console, respectively) provided they pass the domain ownership verification (the actual Cloud DNS owner doesn't matter technically).
The page you read links to a more detailed documentation for Google Apps, where you can find this :
To add your application to the Google Apps account, the account
administrator’s sign-in account (email address) should be an owner of
the app. This is set in the Google Cloud Platform documentation under
Permissions.
So the admin user who enables SSL on Google Apps must also be an owner of the Google Cloud Platform project.
Who owns the DNS settings (be it Google Cloud DNS or any other DNS service) is independent : it doesn't have to be the same person.
I have an appengine app that stores documents in a Google Docs account. It uses the Documents List API to communicate with Google Docs but I am now trying to migrate it to use the Drive API as the Documents List API is supposed to be shutdown on 4/20.
I would like to know if I need to grant any special permissions for my appengine app to be able to access the Drive account and read/write documents from it. i.e., do I need to add a row on this screen?
The Google Docs account under which files are stored by my current app is of the form user#xyz.com where xyz.com is a domain name that I purchased through Google and that is aliased to my appengine app. Further user#xyz.com is an owner of my appengine app.
Yes.
Delegate domain-wide authority to your service account
In the Client name field enter the service account's Client ID.
In the One or More API Scopes field enter the list of scopes that your application should be granted access to (see image below). For example if you need domain-wide access to the Google Drive API and the Google Calendar API enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar
Click the Authorize button.
Your service account now has domain-wide access to the Google Drive API for all the users of your domain, and potentially the other APIs you’ve listed such as the Calendar API in the example above. You are ready to instantiate an authorized Drive service Object on behalf of your Google Apps domain's users.
When you make the calls, you will have to impersonate the user whose account you want to access, i.e. user#xyz.com
I am really fed up. All I see the Google App Engine tutorial was just making the example on how to authenticate without password. What if I want to authenticate directly from my gmail account, how can I do it???
User the google provided users service which can use your google account for auth.
https://developers.google.com/appengine/docs/python/gettingstarted/usingusers
Google App Engine provides several useful services based on Google infrastructure, accessible by applications using libraries included with the SDK. One such service is the Users service, which lets your application integrate with Google user accounts. With the Users service, your users can use the Google accounts they already have to sign in to your application.
I want to implement some form of access control for a REST API implemented in App engine. Is it possible to get the list of GAE Applications that a user has permissions to administer or view in the app engine console. Or whether the user has permissions to administer/view the current application.
Note: the Users API does not work for me because this is a rest server called by another google app not a web service called by a user from the browser. OAuth API seems promising but I was unable to find an OAuth scope or rest endpoint for getting GAE related information.
there is no API that can provide a "list of GAE Applications that a user has permissions to administer." Google Cloud Endpoints on App Engine (Trusted Tester program) may be useful for hosting custom RESTful APIs with user authorization may be useful, read more here: http://endpoints-trusted-tester.appspot.com/
There must be an API as the Google Eclipse plugin is using it.
https://developers.google.com/eclipse/docs/signin?hl=de
But it is not documented.