Can a Google Apps Admin manage users files with Drive SDK?

Question

The new Drive SDK is very good for the authenticated user. Is it possible use Drive SDK using Google Apps administrative access to impersonate other domain users?

The doclist API can do it but it's not possible manage and copy files (pdf, jpg) with this tool.

I'm using Java with this code:

credential_origine = new GoogleCredential.Builder().setTransport(HTTP_TRANSPORT)
                    .setJsonFactory(JSON_FACTORY)
                    .setServiceAccountId("[email from console api]")
                    .setServiceAccountScopes(DriveScopes.DRIVE)
                    .setServiceAccountUser("user@domain.com")
                    .setServiceAccountPrivateKeyFromP12File(new File("key.p12")).build();

But I get an error when I try to retrieve data for the user@domain.com. If I comment .setServiceAccountUser("user@domain.com") the code works great for the same account I used for creating the key.

In the old DOCList API we impersonated another user by the URL of the requests. Is it something similar?

Answer 1

OK here is complete code in Dartlang to list impersonated USER@YOUR_DOMAIN user files with JSON key

To run it you will need to generate JSON key (instead of P12) via Google Developer Console (in project's context: Apis & auth -> credentials)

Dart project's dependencies in pubspec.yaml: googleapis googleapis_auth async)

import 'package:googleapis/drive/v2.dart';
import 'package:googleapis_auth/auth_io.dart';
import 'package:async/async.dart';

final _credentials = new ServiceAccountCredentials.fromJson(r'''
{
  "private_key_id": "*PRIVATE_KEY_ID*",
  "private_key": "*PRIVATE_KEY_CONTENT*",
  "client_email": "*SOMETHING@developer.gserviceaccount.com*",
  "client_id": "*SOMETHING.apps.googleusercontent.co*m",
  "type": "service_account"
}
''', impersonatedUser: "*USER@YOUR_DOMAIN*");  //here you type user

const _SCOPES = const [DriveApi.DriveScope];

main() async {
  var http_client = await clientViaServiceAccount(_credentials, _SCOPES);
  var drive = new DriveApi(http_client);
  var docs = await drive.files.list(maxResults: 10);

  for (var itm in docs.items) {
    print(itm.title); //list docs titles
  }
}

Answer 2

Upgrade:

the code:

com.google.api.client.googleapis.auth.oauth2.GoogleCredential.Builder credential_origine_builder = new GoogleCredential.Builder().setTransport(HTTP_TRANSPORT)
                    .setJsonFactory(JSON_FACTORY)
                    .setServiceAccountId("[[]]")
                    .setServiceAccountScopes(DriveScopes.DRIVE)
                    .setServiceAccountPrivateKeyFromP12File(new File("cfg/file.p12"));

credential_origine_builder.setServiceAccountUser("user@domain.com");

works fine.

If we change the .setServiceAccountScopes(DriveScopes.DRIVE) to

.setServiceAccountScopes(DriveScopes.DRIVE,Oauth2Scopes.USERINFO_EMAIL,Oauth2Scopes.USERINFO_PROFILE)

for retrieving the name and ID of the user It seems to not be compatible with .setServiceAccountUser("user@domain.com");

Using the 3 scopes works fine only with the user "owner" of the keys...keep building

Answer 3

You can do that using Service Accounts and specifying the user to impersonate when building your assertion claim.

Once you have created a Service Account key in your API project (from the APIs Console), you will have to add this project to the list of authorized third party app in the cPanel. More information about this can be found here. The "Client Id" you need to use is the one bound to the Service Account key and looks like <APP_ID>-<OTHER_KEY>.apps.googleusercontent.com

Since you want to manage other users file, you will have to authorize the Drive wide scope: https://www.googleapis.com/auth/drive.

Most of our client libraries take care of abstracting the claim generation for developers. If you could specify which language your are planning to use, I can update this answer by providing a code snippet to help you get started.