We use the Drive API in a few scripts to get info on all our Shared Drives. Using the “useDomainAdminAccess” parameter in the drives list/get methods, we can get just about all drive details without adding the script account as owner on the target drives. One detail we cannot get using this method is total drive size. It appears there is no native property for drive size when querying details at the drive level. We can get a size param when querying individual files (but we must add the script account as an owner on the drive).
In summary, to get drive size we must add the script account as an owner on the drive. Then iterate through all files within the drive, getting the size param for each and adding it to a global variable which we return as total drive size at the end of the iteration. After this we remove the script account from the drive. This, of course, seems very inefficient for getting a single property. Do we know if Google plans to include a size param within the drives.list/drives.get api, or add the “useDomainAdminAccess” param to the files.list/files.get api or maybe there is another Google API that can provide this detail with less effort (reporting / gws admin api)? Thanks
https://developers.google.com/drive/api/v3/reference/drives/list
https://developers.google.com/drive/api/v3/reference/files/list
You may benefit from filing a feature request on Google's Issue Tracker and provide all the necessary details there.
I suggest you fill in this template here.
As for an alternative for your current workaround, I suggest you take a look at service accounts and domain-wide delegation in order to impersonate the owner of the drive and perform the request on their behalf.
A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls.
Reference
Service Accounts;
Drive API Perform Google Workspace Domain-Wide Delegation of Authority.
Related
Th company I work for recently switched to using Team Drive and we had multiple applications that would interact with Google Drive using the Google Drive API. The API calls would be authorized using Google Service Accounts and access to specific files would be given to an app by sharing the file with the Service Account email in the same way you would share a file with a normal user. Now that we've switched to Team Drive I'm unable to grant access to the Service Account as the email address associated with it is not considered part of our organization. I've also looked into adding the Service Account as a normal user in our organization through the Google Admin dashboard, but it only allows me to create new users, not include existing ones. The only solution I've found is to enable sharing with external parties which would allow me to share Team Drive files with the Service Account, which would be considered an external party. This solution is risky and incorrect as the applications using the Service Account are part of our organization. We also do not want enable sharing with external parties in general for security reasons.
I've followed the steps described in How to access Team Drive using service account with Google Drive .NET API v3 and they work, but as mentioned above they require sharing with external parties to be enabled which we do not want.
The ideal solution would be for the Service Account to be considered part of our organization, but I cannot find a way to do this.
I've also tried delegating Domain-Wide Authority to the Service Account as described in https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority, but as far as I understand this is not what I want as this will allow the Service Account to impersonate other users, but the reason we have a Service Account is for carrying out processes that happen automatically and which aren't associated with a specific user.
I've also followed the steps outlined here https://developers.google.com/admin-sdk/reports/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account for white-listing a specific API service through the Google Admin Security interface, but this doesn't seem to do anything, and I'm not sure what it is supposed to do as I have already enabled the Drive API for this Service Account in the APIs & Services dashboard where I originally created the Service Account.
We're using R and so I've been using the googledrive package which has functions for working with Team Drives like:
googledrive::drive_find()
googledrive::team_drive_find()
googledrive::team_drive_get(id = "team-drive-id")
I would expect to be able to see the team drive, but I guess this is not possible unless the Service Account email is a member of the Team Drive which is not possible because the Service Account (which is linked to our organization through its owner) is not considered part of our organization.
I had the exact same issue and after trying a lot of approaches, landed on the solution below (++):
Create a group in Google Workspace. You can add any external identity/email to a group, since they can be used for multiple things. So add the role account to this group.
Google has recently come out with "Trust" rules, that allow granular sharing. You can share with a group. So I created a trust rule that allowed sharing of any data source (easier than restricting who can share since file/shared drive ownership affects this rule) to only the group that contains the service account. Now external sharing is permitted, but only to the role account.
Lastly, share the drive with that role account.
++ Note that I also had followed the majority of steps above including the GCP project creation and domain-wide delegation before this portion, but was similarly stuck getting a 403 for access rights.
Is there a way I can remove data from a Service account created for a Project for Drive API since this is hitting the storage limit. Can I transfer the data to another non service account, Or can I substitute this service account for another? so I can keep using my project or shall I create a new project and integrate it with a new Service account?
Possible solutions seem are described on these other questions, but I´m not sure yet about the solution.
Google Drive Service Accounts Additional Storage
Quota, orphaned files and uploads using service account with Google Drive API
Google Drive API ownership of files uploaded from service account
Google APPs managed "unlimited" account storage quota for service account
Can you please help?
As far as I know, Service Accounts currently cannot purchase additional storage so if you want more storage, you'll need to use a regular Google account instead. Aside from that, change of ownership of service account files is also not possible with Google Drive API.
The only possible option that I found, for now, is to transfer the ownership of the service account file to another account via the app script given in SO post - How to use a service account to transfer ownership of a google file.
After transferring of file ownership, to keep using your project, you can grant owner permission to your service account in the drive file that you need to access by sharing the document.
Solution given by Jalogar in SO post - Drive API access to document with service account might really help.
Is it possible for a super admin to take ownership of a file that is currently owned by an arbitrary user? If so, which end point can do this? I've spent time digging through the API documentation and I'm not coming up with a clear answer. Everything I've found is related to the 1st version of the API.
https://developers.google.com/drive/v2/reference/
yes its possible.
look at how to use oauth2 for "delegation of authority". https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
read the drive api docs on how to use delegation on their api.
look at the drive api that changes ownership. https://developers.google.com/drive/v2/reference/permissions/update
the key part is calling that api using the service account that is impersonating that user.
beware of rate quotas using this method. if you have many files to change, you need to take care the rate is not too fast (say one per second).
Yes, the current owner can transfer ownership of a file to another user.
https://developers.google.com/drive/v2/reference/permissions/update
transferOwnership boolean Whether changing a role to 'owner'
downgrades the current owners to writers. Does nothing if the
specified role is not 'owner'. (Default: false)
I have created a service account for use with the Google Drive API as outlined here:
https://developers.google.com/drive/delegation
After all the reading I've done, my impression is that this service account should act on behalf of the actual account which is part of the Google Apps for Business domain being used.
With that, I would expect that no special permissions would be needed to be dealt with when dealing with Google Drive folders. However, after authenticating and trying to list the contents of a folder, nothing is shown.
If I add the service account email address specifically to the "share" list for the folder, everything seems to work as intended. I can list the files in the folder using the API.
My question is, is this the way it's supposed to be or am I missing something that would allow the service account to access folders on behalf of the actual account without having to specifically add the service account email address to the share list?
Thank you for your time.
You need to impersonate the user with his/her email. Go through the steps explained on https://developers.google.com/drive/delegation and use the snippets below for further coding reference.
We have a google corporate account and need to transfer ALL of a user's google drive files to another account in certain instances. We want to do what is described at the following link for "all files" but programatically via the latest Drive API http://support.google.com/a/bin/answer.py?hl=en&answer=1247799
We are currently using the following API version(s) below, coupled with domain wide authority delegation as described at https://developers.google.com/drive/delegation and are able to see a user's files, iterate over them etc.
google-api-services-drive 1.14.2-beta
google-api-client 1.14.1-beta
My question is this: it appears that the only way to change permissions is by fileId by fileId etc. Instead of having to traverse and iterate over an entire set of user's files, if we just want to transfer ALL of a user's files to another particular user: is there a way in the API to do this (ownership transfer for ALL files) rather than individual requests file/by file?
Also when transferring ownershisp, must the transferee be in the same #domain or can it be another #domain we manage? I read somewhere that you can only transfer to owners in the same domain. Does this still hold true? For instance we manage #myCompany.com and have our corporate account registered under that, however that shell account has several sub-domains within it. We would like to transfer files from users in the sub-domains to a central user in the #myCompany domain.
You need to change permissions file by file, there is no updateAll type of functionality at the moment.
You cant transfer the ownership to another domain's user. Ownership can only be transferred to another user in the same domain as the current owner.
This answer doesn't directly answer your question, but it could be helpful for both you and future visitors.
As of now, you can mass transfer files to new users with Google's new Admin console. It doesn't let you filter for specific folders, but it does allow you to transfer all of one user's Drive files to a second user.
I know you were trying to create something which uses the API to iterate through folders and files, and you probably have a very specific use-case in mind. However, in the case where you have employees leaving, or you need to transfer everything, using the following method is fast and simple.
Open the Google Admin console
Go to Google Apps > Drive
Click on "Transfer ownership"
Fill out both user fields and submit
This process will even email both users once the process is completed.
You can do this with a single call to the Data Transfer API
Exactly what is needed but only with API!
Open the Google Admin console
Go to Google Apps > Drive
Click on "Transfer ownership"
Fill out both user fields and submit
This process will even email both users once the process is completed.
If this is not possible via API calls, then there is no point deleting a user using API.