"Insufficient Permission" when trying to authenticate to cloud-storage via apps-script

0
votes

I am about to give up on this as I can't find out what I am doing wrong.

I have a cloud-storage bucket with our companies billing data (json file objects written by google) that I am supposed to process into spreadsheets.

As there is no apps script API for oauth2, I am using the custom OAuth2 library provided by google with the key "1B7FSrk5Zi6L1rSxxTDgDEUsPzlukDsi4KGuTMorsTQHhGBzBkMun4iDF", and have setup the auth request as shown in this example for service accounts:https://github.com/googlesamples/apps-script-oauth2/blob/master/samples/GoogleServiceAccount.gs

The token is being created and put into the scripts property store, where I can view it. So far so good.

I have this code for requesting the token and then I am trying to list the contents of the bucket in the function "getFilesList()":

function getService() {
return OAuth2.createService('CloudStoreGrab-Service')
  .setTokenUrl('https://accounts.google.com/o/oauth2/token')

  .setPrivateKey(creds_private_key)
  .setIssuer(creds_client_email)
  .setSubject(creds_user_email)
  .setPropertyStore(PropertiesService.getScriptProperties())
  .setScope(['https://www.googleapis.com/auth/drive','https://www.googleapis.com/auth/script.external_request','https://www.googleapis.com/auth/script.storage','https://www.googleapis.com/auth/spreadsheets']);
}

function getFilesList() {
var service = getService();
service.reset();
if (service.hasAccess()) {
    var url = 'https://www.googleapis.com/storage/v1/b/'+bucket+'/o'; 
    var response = UrlFetchApp.fetch(url, {
        method: "GET",
        muteHttpExceptions: true,        
        headers: {
            Authorization: 'Bearer ' + service.getAccessToken()               
        }
    });
}
Logger.log("Response:", response.getContentText())
}

No matter what I seem to try, the request always returns "403 Insufficient Permission". The service account has all necessary roles and permissions activated though (DwD, Storage-Administrator, Project-Owner). When I authenticate with the same credentials from gcloud and then browse the bucket with gsutils I can see the listing. This leads me to believe, that I am still requesting the auth token incorrectly. I tried using the generated token with curl and am getting the same Insufficient Permission response.

What am I doing wrong, while requesting the token? Are the requested scopes too narrow?

1
google-apps-scriptoauth-2.0google-cloud-storageservice-accounts

1 Answers

1
votes

Are the requested scopes too narrow?

That they are. You can find the OAuth scopes for Google's Cloud Storage API listed below (you won't need to use all of them, pick the ones best suited to your use-case, the 1st and 5th scopes in the list should be sufficient):

In future, you can find the required OAuth scopes for any Google API you need at the following link: https://developers.google.com/identity/protocols/googlescopes