I've got the following function in an unpublished Google Apps Script
function getUserFromEmail(userEmail)
{
return AdminDirectory.Users.get(userEmail)
}
I've enabled the AdminDirectory advanced service in the script
As an admin, I run the script, and the default OAuth2 consent screen pops up.
I authorize, and the script runs as expected.
I share the script with a non-admin collaborator (Editor)
When the collaborator runs the script, an error is generated
GoogleJsonResponseException: API call to directory.users.get failed with error: Not Authorized to access this resource/api
Yes, I understand that the collaborator does not have the admin privileges necessary to make this call. I can explicitly give the collaborator the necessary permissions via admin console, but that is not a good solution, since I may want a group of non-admin users to run the script (you can't assign by group). Since there is no explicit way of controlling authentication from Google Apps script (aside from URLFetchApp), it appears that the Advanced Services APIs only really work for admins running the script. Creating a GCP, service account, domain-wide delegation, etc. will not help, since we cannot explicitly control authentication from GAS Advanced Services. We are forced to use the URLFetchApp knothole. Most of the questions/posts for this topic a 5-7 years old, and the landscape for the developer platform has changed substantially. Also, Google developer platform documentation is woefully out of date and refers to entities that no longer exist (like Google APIs Console in https://developers.google.com/admin-sdk/directory/v1/guides/prerequisites)
Is this analysis correct, or have I missed something?
Tried converting project to CGP standard project, enabling Admin SDK library, service account, domain-wide delegation
Related
I have a fairly simple dataset in a Google Sheet. I created an AutoSort script. I saved it, and when I click "Run," I get the following errors. One from a pop-up, and another from the Execution Log.
Pop-up error:
Authorization required
This project requires your permission to access your data.
*For this error, there is a button to "Review Permissions" and I log in using my google account and then just nothing happens.
Execution Log error:
Warning This project requires access to your Google Account to run. Please try again and allow it this time.
The Owner of this Google Sheet is my personal Gmail account, and I am making these edits and created the script using my business Gmail Admin account. I also tried to access this sheet and run the script USING my personal Gmail account, and received the same error:
Google hasn’t verified this app
The app is requesting access to sensitive info in your Google Account. Until the developer ({mypersonalemail}#gmail.com) verifies this app with Google, you shouldn't use it.
Any insight as to how I can authorize this would be appreciated. It sounds like something small I'm missing.
Also, in my personal email I receive a message with subject:
Review edits to your Apps Script project within your document
and it allows me links to access the worksheet and the script, but I don't see any way to approve the edits, or anything like that.
Expected behavior: What I am expecting is for the script to Run, when I click "Run."
It's not a good idea to mix accounts from different domains, specially when using a free account and a Google Workspace account like you have done because that is the cause of the situation that you are facing.
My hypothesis is that the Google Cloud default project linked to the bounded script is created with the account used to create the project.
If you need that you personal account be the spreadsheet owner the best is to create the script using the personal account, and when needed, create a Google Cloud Standard project (GCSP) using the the personal account. You might try to fix the problem with your spreadsheet and the current Apps Script project by creating a GCSP, as was mentioned previously, by using the account that is the owner of the spreadsheet and linking it to the Apps Script project.
Note: If your script is using sensitive scopes you might have to set the OAuth Consent Screen publishing status to tes and add your Google Workspace account as tester.
Ref: Setting up your OAuth consent screen
Once you have finished the setup of your Google Apps Script project you should be able to use your Google Workspace account to update and run the Apps Script code but any new deployment and new version should be done using your personal account.
If you have access to Shared Drives and are allowed to use them for your spreasheet, consider to move it to a Shared Drive as this will make a lot easier to manage your script.
I developed a Google Sheets addon (sidebar), and now trying to put it to the Google Workspace Marketplace.
I'm a little lost with the OAuth scopes needed to be set as part of the user consent screen and/or app configuration screen (and/or other places?).
I got few questions:
1. What are the scopes I actually need to set
This is what add on do:
Reads all data in the spreadsheet, basically read access, to analyze references between formulas cells (Dependents and Precedents)
upon user approval (clicking a button each time) it will write results to a new sheet in the current worksheet.
In the case of internal error and upon user approval (clicking a button each time), addon sends email with the error details including stack trace and potentially additional parameters (spreadsheet and sheet(s) names.
logs are written during running for the purpose of debugging and flow improvements. Logs records might include some of the spreadsheet underlying data
I couldn't find any full list of scopes, but my understanding is I need at least:
https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile
https://www.googleapis.com/auth/spreadsheets
2. Where scopes should be configured
I found at least 3 places holding scopes settings.
In the OAuth consent screen setup in the Google Cloud Platform console (API & Services -> OAuth consent screen)
#3 in the how to publish guide leads to the App Configuration screen in the Google Workspace marketplace SDK settings (see screenshot) I couldn't find the way to reach this page accept as described (search for Google Workspace marketplace SDK in the console). Seems it is hidden somehow...don't really understand. This screen also have oAuth scope settings.
appscript.json file as described here. currently appscript.json doesn't have any scope references.
To answer your questions...
Apps Script ends up automatically determining what scopes a script needs and they are added when a script is being run.
To check which ones have been added you should go to Overview in your Apps Script project and you will be able to find the list under the Project OAuth Scopes section:
Therefore, if you had already run and authorized the script corresponding to the add-on, then the scopes needed will be added there.
As for a list of scopes, you can easily check this one here.
Since you are developing an editor add-on, there's no need to add the scopes to the manifest file too, unless you'd like to set explicit scopes. For instance, if you want more control over your add-on and make use of more restrictive scopes than the ones that has been automatically added, you should set it in the appsscript.json manifest file of the add-on.
Once you finish setting things up in the Apps Script side, you can start configuring the add-on using the Marketplace SDK.
Doing so will require you to provide a complete list of the OAuth scopes you have set in your Apps Script project. The OAuth scopes you enter here should match what you display in your OAuth consent screen and if applicable the ones in the appssccript.json manifest file.
Depending on the scopes you choose for the add-on and the add-on's visibility, you might consider taking a look at the OAuth API verification FAQs documentation too as
Some of the scopes used by the following APIs are considered sensitive; see the API’s documentation or look for the lock icon in the Cloud Console. If your app requests sensitive scopes, and doesn’t meet any of the criteria for an exception (see below), you will need to verify that your app follows the API Services User Data Policy.
Therefore, if your add-on is using any of the scopes listed here, you have to go through the verification process as well before publishing it publicly.
Reference
Add-on types;
Apps Script Authorization Scopes;
Editor add-on authorization;
Enable and configure the Google Workspace Marketplace SDK;
OAuth2 Scopes;
OAuth API verification FAQs documentation.
I have a google sheet that has a script embedded.
In the script > resources > cloud platform project, I have added and linked a project to this script to enable the APIs. This works great in the current Google Sheet.
Challenge:
When I make a copy of the Google Sheet the Cloud Platform assigned project is lost and it requires users to enable these permissions again.
Is there a way to prevent this from happening? Am I missing a setting?
What you're trying to do is not possible. Even if you try making a copy of a standalone script that has a GCP project associated, you will get the same functionality (no GCP project associated).
Also, it makes sense that each new user that runs the script has to explicitly authorize the APIs to make changes in their files, send emails on their behalf, or what have you. It's a basic step in the 3-legged OAuth 2.0 workflow, and it can only avoided if you use a Service Account.
So in your situation, I would just use Advanced Google services, even if each new user has to grant authorization. In the end, the appropriate advanced services are automatically enabled in your copied project; users don't need to enable them manually, only grant them authorization.
Reference:
https://developers.google.com/identity/protocols/OAuth2
https://support.google.com/a/answer/2538798?hl=en
How do I track down which Google Apps Script project "Project-id-19735......6273" actually is?
I've tried pasting it into the Cloud Console URL (https://console.cloud.google.com/home/dashboard?project=Project-id-19735......6273) but that doesn't bring anything up. I think this technique is working for projects I own, but not ones shared with me.
This is further to the email notifications we’ve been getting about this updated OAuth on the GMail API and discussed further here.
Unless the owner of the GCP project explicitly grants your google account the appropriate permissions from the Cloud Console you won't be able to access the GCP project bound to an Apps Script project that's been shared with you.
The Apps Script project and GCP project are related but they are NOT one-and-the-same. The GCP project is more of a container and can actually reference multiple Apps Script projects. Each Apps Script project is basically a web app, with its own Client_ID and Client_Secret. That's why you can use ScriptApp.getOAuthToken(); authentication and authorization are handled internally (the GAS editor handles oauth scopes based on usage context or what you define in the manifest JSON).
I'm guessing here, but I suspect that the owner of the GCP project would have to navigate to the IAM (Identity & Access Management) page for the project and add you as a user with read/edit permissions.
I'd like to use a service account to access a Google Sheet via the Apps Script Execution API, but it's not clear from the documentation whether this is supported.
The steps I've tried (which result in a 403 status from the Execution API) are:
Create a new (unbound) Apps Script
Visit the linked Developer Console project
Enable the Execution API
Create a new service account within the same project (downloading
the generated JSON file)
Create a new Google Sheet and share it with the service account's
email address (this is the step I'm least sure about)
Write an apps script function that reads from the spreadsheet
Run the script manually from the Script Editor (to set the scopes
on the script correctly)
Publish the script ("Deploy as API executable"), making it accessible
to 'anyone'
Mint a new OAuth2 token using the service account and the scopes
linked to the script (in our case just
'https://www.googleapis.com/auth/spreadsheets')
Attempt to make a call to the Execution API using the token
This is the response I got:
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
Does this not work because Service Accounts are never able to access the Execution API? Or is there something wrong with the steps above?
Your original 403 error indicates that you have incorrectly set up authentication for your service account. However, even if you get that working, as of now (10 Nov 2015) you cannot execute Apps Scripts via the Service Account.
It's a known bug, and is being tracked in the Apps Scripts Issue Tracker.
Currently(2020), Service accounts cannot work with Apps script API. As written in the documentation,
Warning: The Apps Script API does not work with service accounts.
Your problem is probably that the script is associated with the wrong project (i.e. its own project, instead of the project associated with your Service Account). Here is what you need to do:
From the Scripts editor select the following menu item: Resources > Developer Console Project.
On this screen enter the project number for your dev console.
cf this answer