What happens when we delete or deactivate the google account of the project owner, who’s also the creator of file attached to the Cloud Project? Do other owners (set up in Google Cloud Platform) keep their authorizations?
If the account belong to an organisation, the project continue to live in the organisation and the org admin is able to access it, go to IAM page and to grant a new owner (or not, an owner is not required on a project!)
If you expect notification on the project, the essential contact feature is done for that
If the account is a personal account, you can't recover the project, it is lost.
Related
How to test safely an app that reads and writes to Google Drive using the API?
I created an app that runs on a server, that basically copies a template google doc to another directory, and then edits this new file.
In order to do that I:
created a service account,
delegated domain-wide authority to this service account
(https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority),
Then the app impersonates a user of the domain (always the same user) to access the API resources.
This app works, but it has 2 problems:
the service account has access to too many things. Ideally, I'd like it to have RW access to one folder only,
I'd like to create test credentials that would have access to another specific folder only, or even better, another drive.
Thanks!
Drive does not have permissions based on folders. The closest you can get is by creating an additional Service Account and then share the folder(s) to that SA.
You can also change the sharing setting for just one organisational unit,doing that all the folders whose owners are part of that OU will be able to share it outside or your domain making that the SA have only access to those folders.
Th company I work for recently switched to using Team Drive and we had multiple applications that would interact with Google Drive using the Google Drive API. The API calls would be authorized using Google Service Accounts and access to specific files would be given to an app by sharing the file with the Service Account email in the same way you would share a file with a normal user. Now that we've switched to Team Drive I'm unable to grant access to the Service Account as the email address associated with it is not considered part of our organization. I've also looked into adding the Service Account as a normal user in our organization through the Google Admin dashboard, but it only allows me to create new users, not include existing ones. The only solution I've found is to enable sharing with external parties which would allow me to share Team Drive files with the Service Account, which would be considered an external party. This solution is risky and incorrect as the applications using the Service Account are part of our organization. We also do not want enable sharing with external parties in general for security reasons.
I've followed the steps described in How to access Team Drive using service account with Google Drive .NET API v3 and they work, but as mentioned above they require sharing with external parties to be enabled which we do not want.
The ideal solution would be for the Service Account to be considered part of our organization, but I cannot find a way to do this.
I've also tried delegating Domain-Wide Authority to the Service Account as described in https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority, but as far as I understand this is not what I want as this will allow the Service Account to impersonate other users, but the reason we have a Service Account is for carrying out processes that happen automatically and which aren't associated with a specific user.
I've also followed the steps outlined here https://developers.google.com/admin-sdk/reports/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account for white-listing a specific API service through the Google Admin Security interface, but this doesn't seem to do anything, and I'm not sure what it is supposed to do as I have already enabled the Drive API for this Service Account in the APIs & Services dashboard where I originally created the Service Account.
We're using R and so I've been using the googledrive package which has functions for working with Team Drives like:
googledrive::drive_find()
googledrive::team_drive_find()
googledrive::team_drive_get(id = "team-drive-id")
I would expect to be able to see the team drive, but I guess this is not possible unless the Service Account email is a member of the Team Drive which is not possible because the Service Account (which is linked to our organization through its owner) is not considered part of our organization.
I had the exact same issue and after trying a lot of approaches, landed on the solution below (++):
Create a group in Google Workspace. You can add any external identity/email to a group, since they can be used for multiple things. So add the role account to this group.
Google has recently come out with "Trust" rules, that allow granular sharing. You can share with a group. So I created a trust rule that allowed sharing of any data source (easier than restricting who can share since file/shared drive ownership affects this rule) to only the group that contains the service account. Now external sharing is permitted, but only to the role account.
Lastly, share the drive with that role account.
++ Note that I also had followed the majority of steps above including the GCP project creation and domain-wide delegation before this portion, but was similarly stuck getting a 403 for access rights.
I was added to a client's Vimeo account as an Admin. I need to create an app so I can access the api, as described here: https://developer.vimeo.com/api/start
I have created apps just fine in the past by following this link: https://developer.vimeo.com/apps/new
However when I am logged in as an admin on this account, it give me a permissions error:
Permission Denied
Sorry but you do not have the proper permission to access this area of Vimeo.
Are Admins not permissioned to create an app? If so, what roles can?
Currently only the primary account holder can create and manage apps for a parent PRO or Business account. Users who are set as Admins, Contributors, or Uploaders of a parent account cannot manage developer apps for that account.
Reason being is that by using the API, a user could modify that parent account's settings and metadata outside of the on-site team member structure.
Vimeo may change this in the future, but there's no ETA for supporting team members at this time.
An overview of team member management can be found in the Vimeo Help Center: https://help.vimeo.com/hc/en-us/articles/224818687-Managing-team-members-on-your-account
I have a Google Apps Script Web App distributed to multiple users all in one domain. They trigger it manually via the web app URL available from the publish screen (i.e. it's not a marketplace app). I'm trying to figure out how to grant user data permissions domain-wide if possible so that users don't have to confront a user data request dialog when it first runs for each given user. FYI they are all on g-suite for business. This is not about "verified app" oath, but about the personal data access permissions. Also, if important, the app is published with "execute the app as user accessing the web app" because the app needs to pull the email address of the current user in order to function, and on that same screen, access was given to "anyone". I couldn't find this question posed already—apologies if I'm wrong. Thoughts appreciated!
If possible please publish add-on app within the domain, it will allow the users.
(You can publish web addon within the domain without any extra cost and permission)
More details https://developers.google.com/apps-script/add-ons/domain-wide
Hope it will helpful for you!
My organization has a project that is using Google Drive to store files. What we want to do is to show the contents of the Drive on a website.
I'm not really sure how to go about this. Most of the examples are showing authenticating the user accessing the site.
Right now, what I am thinking of doing is to use a service account. I have a Node app running a service account, which I just followed from the samples in the Node.js samples. I realized that the contents shown from running the app are the contents of the Drive of the service account.
What I wanted to happen was show the contents of the Drive that owns the project.
I'm not sure if you can get around authentication when it comes to standard User Accounts.
But you don't really need to impersonate a User Account. There is a alternative solution. From your User account, create a folder and move all the files needed by the app into it. Then share the folder with the service account and grant it edit access. To share the folder you'll need to know the email address of the service account which you can find in your Google Developer's Console. To get to the service account's page, click the menu icon (the triple bar) at the top left and select IAM Admin. On that page there should be a menu option for service accounts, when selected it will provide you with a list of all your service accounts and their corresponding email addresses.