Reputation: 61
Whitelisting Service Account for Google Drive Document Access
I have a service account created through the Google developer console specifically for API access to Google Drive to retrieve documents. However recently I have changed my G-suite Google Drive settings to have the security restriction that documents can only be shared outside of my organization to whitelisted domains rather than it being wide-open for sharing purposes.
Prior to this security setting change everything was working fine having my service account access documents it has specifically been granted access to. However after the change when viewing the sharing settings on a file that it previously had access to it now says the account cannot be granted access as the policy set prohibits the sharing of items to this user as its not in a compatible whitelisted domain.
I did try whitelisting gserviceaccount.com within my G-suite admin console but this still brought no luck.
Anyone else have a similar issue? Any good solution?
Thanks!
Upvotes: 6
Views: 5400
Answers (1)
Reputation: 8112
You may want to complete the following steps given in Delegating domain-wide authority to the service account:
- Go to your G Suite domain’s Admin console.
- Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls. If you can't see the controls, make sure you're signed in as an administrator for the domain.
- Select Show more and then Advanced settings from the list of options.
- Select Manage API client access in the Authentication section.
- In the Client Name field enter the service account's Client ID. You can find your service account's client ID in the Service accounts page.
- In the One or More API Scopes field enter the list of scopes that your application should be granted access to. For example, if your application needs domain-wide access to the Google Drive API and the Google Calendar API, enter:
https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/calendar. - Click Authorize.
This will give authority to your app to make application calls as users in your domain. However, please note on this:
Although you can use service accounts in applications that run from a G Suite domain, service accounts are not members of your G Suite account and aren’t subject to domain policies set by G Suite administrators. For example, a policy set in the G Suite admin console to restrict the ability of G Suite end users to share documents outside of the domain would not apply to service accounts.
See Perform G Suite Domain-Wide Delegation of Authority for more information.
Upvotes: 5
Related Questions
- How to access Google Doc Api with service account?
- Limit Google API access to single or group of users instead of domain-wide authority to your service account
- How to limit Service Account to only be able to access Google Drive?
- How to programmatically access only one specific google drive without a service account
- useDomainAdminAccess creates error in Google Drive API using service account authentication
- Google Drive access for Service account
- How to resolve 403 error with Service Account and Google Drive API
- Google Drive API - Granting Access to Files in a Folder to Service Account
- Drive API access to document with service account
- Google API Service Accounts with Drive SDK