How to authenticate Google Drive API requests server side (without OAuth)

Question

Following situation:

• We're using a third-party service to upload files to a specific drive folder within a specific google account (only possible way)
• A Zapier integration listens to new file creations and creates a new db entry with the metadata of the file

Now I'd like to set up a serverless cloud function that listens for new db entries, retrieves the fileId from the metadata then downloads the file and immediately uploads it to google cloud storage

My problem is to actually authenticate this download request. Ideally, there would be no OAUTH involved since it's literally a single drive we want to touch, which we also own.

I found some related solutions but they don't quite fit.

Google Drive API, Oauth and service account

How do I authorise an app (web or installed) without user intervention?

Basically I want to do this inside my serverles function:

 const drive = google.drive({ version: "v3", auth: "WHAT_KEY_IS_NEEDED_HERE?" });
    const zip = await drive.files.get({
      fileId: "1iwXhoQfFvR8uVuVWAf1onq2O8Hs-M_0H",
      alt: "media",
    });

What key do I need to make authenticated requests? Can I use a service account or can I create a personal use token for this drive that is valid forever? The auth param can have several types:

Answer 1

According to the official documentation:

Authenticating as a service account

If your application runs inside a Google Cloud environment that has a default service account, your application can retrieve the service account credentials to call Google Cloud APIs. Such environments include Compute Engine, Google Kubernetes Engine, App Engine, Cloud Run, and Cloud Functions. We recommend using this strategy because it is more convenient and secure than manually passing credentials.

Therefore if your code access data belonging to your own application, you can use the default service account of your cloud function (App Engine service account)

Answer 2

Must use OAuth in order to access non-public files:

From Drive API official docs:

Your application must use OAuth 2.0 to authorize requests. No other authorization protocols are supported.

Only if the resources you're accessing are publicly accessible (for example, if you share a file with Anyone with the link) you can avoid using OAuth, and use an API key instead. According to what you said, though, the Drive you want to access is not public.

It doesn't matter that it's a single Drive or that you own it; if it's not public, you need OAuth to access it.

Service account to avoid user interaction:

Of course, if what you want to do is to go through the authorization process without any user interaction, you can use a service account. In this case, though, you would still be using OAuth, even if without user interaction: see Using OAuth 2.0 for Server to Server Applications for more information on this specific authorization flow, usually called "2-legged OAuth".

The service account can either be used in its own, so that you should share the Drive with the service account, or it can be used to impersonate another account, so that it act on behalf of a regular account and access the same resources this regular account can access.

Related:

• Authentication overview
• Authenticating as a service account
• Access Google Drive API from a Google Cloud function