1

I'm deploying a Cloud Function which interacts with Google Drive. As far as I can tell, there's no way to use the implicit Cloud Function credentials or related environment variables to authorize with Drive, so I've had to resort to either including the credentials.json service account key file in the Cloud Function bundle or by setting an environment variable using that same key file during deployment of the Cloud Function.

It'd seem to me that you would be able to use the Cloud Function's implicit service account and credentials in order to achieve this.

pdoherty926
  • 9,895
  • 4
  • 37
  • 68
  • Could you edit the question to show the code that isn't working the way you expect? You can certainly use the default service account in Cloud Functions - I do it all the time. Most Google SDKs will also find and use that account when initialized in a default fashion. But without seeing how your code expects to make use of it, there's not much we can do to help. – Doug Stevenson Nov 13 '19 at 15:32

1 Answers1

4

You can specify a identity service account on Cloud Function. By the way, instead to use the default compute service account, you can use this one that you want.

Then you can share a document, or a shared drive with the service account email. By the way, the service account of the function will have access to this drive element.

However, it's not enough. When you will perform the request to the Google Drive API, you have to provide an authentication token in the header of the request. You can find here how to request the Cloud Function metadata server to get this token and then reuse it to your Google Drive API call.

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • 1
    Inviting the service account via email seems to have done the trick. I have to say, I can't believe this use case is so complicated and/or poorly documented. It seems like it'd be a very common one. – pdoherty926 Nov 13 '19 at 23:27
  • It's "poorly documented" because it's not a typical use case. Cloud apps generally interact w/other cloud services or perform services on data that belong to other apps/services, not data that belongs to USERS. And if it IS user data, it's typically done via service accts w/domain-wide delegation, to do admin work on behalf of users: developers.google.com/admin-sdk/directory/v1/guides/delegation For your case, either the user "invites" the service acct to access their data (what you did), or OAuth client ID auth is used so the user is PROMPTED to give your app permission to access their data. – wescpy May 28 '21 at 20:54