Excessive scope requirements in Google Apps Script

Question

Here's a custom Google Sheet with script code:

var GAaccountsList = Analytics.Management.Accounts.list();
var upload = Analytics.Management.Uploads.uploadData('accountId', 'webPropertyId', 'customDataSourceId')

This code should run OK if https://www.googleapis.com/auth/analytics scope is provided.

But instead, it asks additionally for https://www.googleapis.com/auth/analytics.readonly that is excessive.

Can this be fixed in Google Apps Script OAuth service?

Answer 1

You can modify the OAuth scopes in the Manifest file. The manifest file is accessed in the GAS editor through the menu (View > Show Manifest File), then the manifest will appear in the file list as appscript.json. You can remove the Dependencies and oauthScopes sections from this file, then when your script tries to make Google calls it will get an error saying which scopes are required (in Stackdriver Logging). You can add scopes one at a time this way, but be sure each of your Google functions gets called or you may miss a scope.

Note that removing the Dependencies section might have other side-effects (such as removing access to Libraries). It was my experience that an excessive scope showed up in the Dependencies/enableAdvancedServices section, so I had to remove it from there and add the less-permissive scope to the oauthScopes section.

Reference: https://developers.google.com/apps-script/concepts/scopes

https://developers.google.com/identity/protocols/googlescopes

Google Oauth removing scopes from access

How to narrow down the auth/drive scope for a google apps script?

https://developers.google.com/apps-script/concepts/manifests