0

How to setup google app script web app endpoint authorisation with google service account?

First i have a webapp in google app script:

function doGet() {
  boolResult = isDailyGmailCountLargerThan10()
  console.log(boolResult)
  if(boolResult) return ContentService.createTextOutput('Done');
  else return ContentService.createTextOutput('Error');
}
function isDailyGmailCountLargerThan10(){
  intCount = GmailApp.search("newer_than:1d").length;
  if (intCount>10) return true
  else return false
}

And then I have below python script to make the request:

import requests
url="https://script.google.com/a/macros/<my_project>/s/<my_script_id>/exec"
r=requests.get(url)
print(r.status_code)
print(r.text)

Unfortunately, as only i can access and execute the script (which means I setup like this Execute as [Me] | Who has access [Me]), it return me with either the login page or unauthorised access.

Thus, I rewrite the python as below:

from google.oauth2 import id_token
from google.oauth2 import service_account
import google.auth
import google.auth.transport.requests
from google.auth.transport.requests import AuthorizedSession

cred_path = '/path/to/key.json'
target_audience = 'https://script.google.com/a/macros/<my_project>/s/<my_script_id>/exec'
url = 'https://script.google.com/a/macros/<my_project>/s/<my_script_id>/exec'

creds = service_account.IDTokenCredentials.from_service_account_file(
        cred_path,
        target_audience=target_audience)

authed_session = AuthorizedSession(creds)

# make authenticated request and print the response, status_code
resp = authed_session.get(url)
print(resp.status_code)
print(resp.text)
# Returned 401  |  Unauthorized


# to verify an ID Token
request = google.auth.transport.requests.Request()
token = creds.token
print(token)
print(id_token.verify_token(token,request))

Unfortunately, it returned 401 Unauthorized. So here is my question:

How to use google service account to pretent as me before sending get request the the google app script the only authorised user is me? I cannot find any reference to grant permission to google service account email to sending request to my google app script.

Question-er XDD
  • 640
  • 3
  • 12
  • 27
  • 1
    https://stackoverflow.com/questions/42836357/how-to-call-a-google-app-script-function-from-python Found this, hope can help – user16730804 Aug 23 '21 at 06:56
  • Unfortunately .... – Question-er XDD Aug 23 '21 at 13:58
  • 1
    (1) Why do you want to use a service account and not your regular one?, (2) Have you granted [domain-wide delegation](https://developers.google.com/identity/protocols/oauth2/service-account?hl=ro#delegatingauthority) to the service account in order to act on behalf of you? – Iamblichus Aug 25 '21 at 07:52
  • (1)regular one need to login everytime and is not for server-to-server communication, (2)granted – Question-er XDD Aug 29 '21 at 09:27
  • You granted domain-wide delegation, but did you use that to impersonate your regular account? – Iamblichus Aug 30 '21 at 07:11
  • i dont have the admin account (https://developers.google.com/admin-sdk/directory/v1/guides/delegation) , as gsuite account are diff from normal business account. Thus, i tried "Enable Google Workspace domain-wide delegation" , unfortunately not work (maybe i done something wrong )[https://developers.google.com/admin-sdk/reports/v1/guides/delegation#python] . Last but not least, you can try that in calling GooAppScript webapp , you will understand what i mean (https://developers.google.com/apps-script/api/quickstart/python) – Question-er XDD Aug 30 '21 at 16:43
  • Well, if you cannot have the service account to impersonate your regular account, and the web app can only be accessed by your regular account, you cannot access this with the service account (you need an admin account to do this). Also, about the Apps Script API quickstart link your provided, what does it have to do with the current issue? – Iamblichus Aug 31 '21 at 09:13
  • Can you provide a quick demo ? There are no relation with Apps Script API quickstart link, just a reference. – Question-er XDD Sep 01 '21 at 09:47
  • 1
    A demo for what? From what I understood, you don't have a domain account, so you cannot have a service account impersonate a regular account. – Iamblichus Sep 02 '21 at 10:54

1 Answers1

0

thanks @Iamblichus answer

as i don't have a domain account, so I cannot have a service account impersonate a regular account.

So i will close this thread

Question-er XDD
  • 640
  • 3
  • 12
  • 27