I have a server program that is trying to read a particular file from Google Drive. Authentication is set up using a service account, and can successfully perform admin SDK operations. However, then I try to use the Drive API in the following way, I get a 404 error:
credentials = SignedJwtAssertionCredentials(settings.GOOGLE_SERVICE_ACCOUNT_EMAIL, key, scope='https://www.googleapis.com/auth/drive')
http = credentials.authorize(httplib2.Http())
drive = build('drive', 'v2', http=http)
file_data = drive.files().get_media(fileId="MYFILEID").execute()
If I set the file permissions to 'anyone with the link can view' then the code works as expected.
The Drive API is enabled for the service account in the console, and the service account has been granted domain-wide delegation.
If I add sub='email@mydomain.com' to the SignedJwtAssertionCredentials call, then when I try to build the drive service I get an
AccessTokenRefreshError: access_denied
Any ideas?
EDIT:
If I share the file in question with the service account email address, it works. However, I would have thought that domain-wide delegation would provide domain-wide privileges. Is this the expected behaviour (i.e. service accounts can only access drive objects that are public/domain-wide or have been explicitly shared with the service account email)?
