Access Domain wide Google Drive data with ServiceAccount Actor user

0
votes

Technology required : C#

Description : I am working to create workflow in application such that website will ask for Google Authentication with user consent screen, and once it is authorized by domain administrator, website will have access to all users under that domain and also access to drive and team drive data.

Attempted ways to authenticate :

  1. Created Service Account user, provided necessary rights for Google Scopes to that user from admin.google.com
  2. Created Super admin user, assigned it Role of Service Account Actor with Service Account created in #1.

Code used with ServiceAccountCredential object

ServiceAccountCredential credential = new ServiceAccountCredential(
                    new ServiceAccountCredential.Initializer("Service_Account_Email")
{
    Scopes = SCOPES,
    User = ADMIN_EMAIL,
}.FromPrivateKey("PRIVATE_KEY"));

With the use of ServiceAccountCredential object, I am able to list domain users, as well as drive details, as required. The only problem is that for that I need client to create service account and authentication steps mentioned in #1, and also ask for credentials ( Service account email, private key, admin email ), which I don't want to.

I have tried to authenticate with admin user (#2), which have Service Account Actor Role with user consent screen with below code.

GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow(new GoogleAuthorizationCodeFlow.Initializer
{
    ClientSecrets = new ClientSecrets
    {
        ClientId = Constants.GoogleClientId,
        ClientSecret = Constants.GoogleClientSecret
    },
    Scopes = Constants.GoogleScopes
    //,DataStore = new FileDataStore("Drive.Api.Auth.Store")
});

UserCredential credential = new UserCredential(flow, email, response);

var service1 = new DriveService(new BaseClientService.Initializer()
{
    HttpClientInitializer = credential,
    ApplicationName = "Drive API Service Account Sample",
});

With the above code "service1.Teamdrives.List().Execute();" always results Team drives available with the admin user I am authenticated with, though I am passing different email in UserCredential object.

I need help here, I need to be able to manipulate all user's drive data without any user intervention once authenticated by admin user ( Service Account Actor )

Any help would be much appreciated.

Thanks

1
c#google-apigoogle-drive-apigoogle-authenticationgoogle-workspace

1 Answers

0
votes

AFAIK, in delegating domain-wide authority to a service account UserCredential used should be a member of the domain. Note of the warning in the documentation,

Service accounts should only be used for performing delegation where the effective identity is that of an individual user in a domain. Additionally, service accounts may not acquire additional storage quota, nor do they act as members of a domain.

You may want to try these steps to grant access (account with services and Apps admin role are required):

  • Sign-in to Google Admin and go to Apps -> G Suite -> Drive and Docs -> Sharing Settings sub-menu and select ON from the Sharing options
  • Click on the Manage Team Drives sub-menu and click on the Team Drive you want to grant access to
  • Click on ADD MEMBERS in the Member access pop-up
  • Enter the service account Account ID (email), choose access level (I chose Full), check the Skip sending notification and click on SEND

For additional insights, see these SO posts and tutorial: