Unable to see gSuite Files with service account

1
votes

Problem: I have created a service account to interact with my Org's Google Drive & Spreadsheet files - I am able to successfully create a session to the google drive API. However, the only files I have access to is this boilerplate:

=> [#< GoogleDrive::File id="aSdsefooovjTnulaRlclbarrr" title="Getting started">]

What level of permissions do you think I am missing?

My only thought left is that theres some other top-level permission hiding files from outside an org.. Even though service account is shared on a file explicitly? It does say this when I share with Service Account if thats any indication.enter image description here

Maybe related to the following image from this doc?

https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority

enter image description here

Steps i've already gone through..

1) I created a Service account with Domain wide delegation, and project edit status.

2) I have invited that service accounts email to the sheets I want it to have API access to

3) I had a gSuite admin of my org has added this Service Account's client_id to the / Security / Manage API Client Access.. with the scopes -> https://www.googleapis.com/auth/drive, https://spreadsheets.google.com/feeds

Have tried every combination I can find in all docs / tutorials. Here is my connection code, based off https://www.twilio.com/blog/2017/03/google-spreadsheets-ruby.html. Tried passing the scopes in the client_secret.json. Tried tooling with iam roles for service account.

session = GoogleDrive::Session.from_service_account_key("client_secret.json")

{
  "type": "service_account",
  "project_id": "gdrive-1231233",
  "private_key_id": "food87c0bar16da9bfoooooo677bar",
  "private_key": "-----BEGIN PRIVATE KEY-----\nsssEIEvQfooobarrrytyeho=\n-----END PRIVATE KEY-----\n",
  "client_email": "[email protected]",
  "client_id": "foo40990211bar",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_foox_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_foox_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/servicebot%40gdrive-foobar.iam.gserviceaccount.com"
}

#<GoogleDrive::Session:0v3fc6c3e25061>
1
ruby-on-railsgoogle-drive-apigoogle-api-clientservice-accounts

1 Answers

1
votes

So turns out the only method I could use to find an explicit spreadsheet was spreadsheet_by_url -- .files .spreadsheets .find_by_guid, etc.. all returned nil. but searching by url direct returned file and enable to me read / write.

session = GoogleDrive::Session.from_service_account_key("client_secret.json")
session.spreadsheet_by_url(ENV['GOOGLE_DATA_DUMP_URL'])
worksheet = spreadsheet.worksheets[0]