1

I am writing a server side python script with Pydrive which needs to store a file in a specific gdrive. Pydrive and this post suggest to use a service account. However this would mean that with the credentials of this service account all gdrives are accessible and I would rather avoid that.

Ideal only one specific gdrive or all gdrives where one specific user has access to should be accessible.

Is it possible to give programmatically access to only one specific gdrive?

[Edit]

As mentioned in the comments I am apparently not looking for a OAuth flow. I am looking for a server-to-server communication for accessing one specific google drive using the principle of least privilege access. Doing this with a service account + domain wide delegate and google drive r/w scope would mean that with this service account all google drives can be accessed which is not what I want.

Unfortunately there is a domain wide policy in place which forbids to share google drives to "other" domains. This means I can not use a service account without domain wide delegation and just share the drive with it.

zlZimon
  • 2,334
  • 4
  • 21
  • 51
  • Are you the owner or of the drive? If so you could download the credentials for your client. If not, you can create a service account and assign a limited role to it. Then the service account can ask for an access token once the user (owner of the Drive) has given it consent to use the solicited scopes. – Aerials Mar 19 '21 at 14:14
  • Unfortunately I am not the owner. Can I have a role which only gives read access to the service account of one specific folder? If that is the case this would solve the problem indeed – zlZimon Mar 23 '21 at 12:41
  • Yes there are such roles.https://cloud.google.com/iam/docs/understanding-roles#basic-definitions – Aerials Mar 26 '21 at 16:28
  • Maybe if you provide some context about the specific task you are trying to achieve? AFAIK what you are trying to do is not possible. – iansedano Mar 29 '21 at 08:51
  • I am trying to run a python script on a server which automatically uploads a file to a specific gdrive folder. The goal is to give this python script least privileges so that so that the credentials it is using for accessing the gdrive api only has access to this specific folder. And since this is a server, there is no user interaction – zlZimon Mar 30 '21 at 08:51
  • Is the server side script meant to be runnable by only you, on a timer or by the general public? Are you looking for somewhere that users can go to upload things who may be external to your domain? – iansedano Mar 31 '21 at 07:37
  • it is only runnable by me. But I still don't want to have any credentials on the server which gives access to more than just that specific gdrive folder. Least privileges. – zlZimon Apr 01 '21 at 07:27

2 Answers2

1

I don't understand what you mean by "programmatically", when you already tag the question as oAuth - asking for oAuth2 flow, which is interactive. When there is nobody, who would press the buttons, this probably isn't the authentication flow you're looking for. Just share a directory with a service-account; no domain-wide delegation is required (with that enabled, there would be no need to share it).

One could even abstract the whole Drive API access credentials away by using a simple Cloud Function, which has to task to update one file; triggered through HTTP, utilizing the Drive API.

Martin Zeitler
  • 1
  • 19
  • 155
  • 216
  • with programmatically I mean without user interaction. Just sharing it with the service account without domain wide delegation is a great idea. I will try that. thanks – zlZimon Mar 18 '21 at 14:16
  • sharing it with the service-account without any domain-wide delegation does not work since there is a domain wide policy which does not allow to share drives with domains which are not whitelisted. – zlZimon Mar 19 '21 at 09:33
0

Possible approach - dummy account

You could designate a new account that will be your "service account". In reality it won't be an actual service account, it will just be a dummy account that you can call something like "gdrivebot@yourdomain.com". Then you can share only what is absolutely necessary with it. I think this would be the only way to get that level of fine-grained control that you are looking for. This would require your admin to designate a new account just for this purpose though.

iansedano
  • 6,169
  • 2
  • 12
  • 24
  • sorry for my late reply and thanks for your answer. However I have the feeling that I conceptional misunderstood the authentication in the google world. My understanding was that it is not possible to authenticate a 'normal' user account from a piece of code running on a server without having some kind of user interaction. This is why there are service accounts – zlZimon Apr 12 '21 at 08:24