Deploy Appscript as Webapp from Google sheet Add-on - google-apps-script

I want to create a Google sheet add-on where the user can create an HTTPS endpoint in his sheet, that can act as a webhook for an external service. I can see it is possible to do this manually by launching app script code using the 'Deploy a script as a web app' option from the Script Editor
https://developers.google.com/apps-script/guides/web#deploy_a_script_as_a_web_app
Is it possible to automate this in app-script so that the user can configure this in the add-on UI only and in the background, app-script launches the endpoint and can return the endpoint URL to the user?

A Google sheets add-on is a single project shared across all users of the add-on. So, even if any user was allowed to use "Deploy as webapp" feature, Deploying it will create a single endpoint for all users of the addon and NOT a unique url endpoint for each user.

It might be possible but you'll likely need the user to grant your app access to restricted scopes, in which case your add-on will need to undergo a security assessment which will run you anywhere from $15,000.00 to $75,000.00.
You can try leveraging the Apps Script API to create a script project specific to the user and use that project to deploy a web app on their behalf. Not sure if it will work, but you can try playing with the following API endpoints:
https://developers.google.com/apps-script/api/reference/rest/v1/projects/create
https://developers.google.com/apps-script/api/reference/rest/v1/projects.deployments/create
https://developers.google.com/apps-script/api/reference/rest/v1/projects.deployments/update

Related

Apps Script (Google Sheet) not allowing me to Run Script

I have a fairly simple dataset in a Google Sheet. I created an AutoSort script. I saved it, and when I click "Run," I get the following errors. One from a pop-up, and another from the Execution Log.
Pop-up error:
Authorization required
This project requires your permission to access your data.
*For this error, there is a button to "Review Permissions" and I log in using my google account and then just nothing happens.
Execution Log error:
Warning This project requires access to your Google Account to run. Please try again and allow it this time.
The Owner of this Google Sheet is my personal Gmail account, and I am making these edits and created the script using my business Gmail Admin account. I also tried to access this sheet and run the script USING my personal Gmail account, and received the same error:
Google hasn’t verified this app
The app is requesting access to sensitive info in your Google Account. Until the developer ({mypersonalemail}#gmail.com) verifies this app with Google, you shouldn't use it.
Any insight as to how I can authorize this would be appreciated. It sounds like something small I'm missing.
Also, in my personal email I receive a message with subject:
Review edits to your Apps Script project within your document
and it allows me links to access the worksheet and the script, but I don't see any way to approve the edits, or anything like that.
Expected behavior: What I am expecting is for the script to Run, when I click "Run."
It's not a good idea to mix accounts from different domains, specially when using a free account and a Google Workspace account like you have done because that is the cause of the situation that you are facing.
My hypothesis is that the Google Cloud default project linked to the bounded script is created with the account used to create the project.
If you need that you personal account be the spreadsheet owner the best is to create the script using the personal account, and when needed, create a Google Cloud Standard project (GCSP) using the the personal account. You might try to fix the problem with your spreadsheet and the current Apps Script project by creating a GCSP, as was mentioned previously, by using the account that is the owner of the spreadsheet and linking it to the Apps Script project.
Note: If your script is using sensitive scopes you might have to set the OAuth Consent Screen publishing status to tes and add your Google Workspace account as tester.
Ref: Setting up your OAuth consent screen
Once you have finished the setup of your Google Apps Script project you should be able to use your Google Workspace account to update and run the Apps Script code but any new deployment and new version should be done using your personal account.
If you have access to Shared Drives and are allowed to use them for your spreasheet, consider to move it to a Shared Drive as this will make a lot easier to manage your script.

Authenticate in Sheets Add-on to App Using Google OAuth

I am creating a Sheets add-on that works with our app. Our app uses Google OAuth for authentication.
I have the add-on working with manually configured credentials, but obviously that's not a real life solution. Now I need to have the add-on user authenticate to our app within the add-on itself, so we know whose account to work with.
User has data in Sheets -> user uses add-on to authenticate to app -> add-on uses app's API to push/pull data between Sheets and app for that user
I have tried using our API's login URL to get the HTTPResponse from Google using fetch() and loading it into a sidebar, but aside from it being ugly, it doesn't give me the expected option of choosing the Google account I want, but rather logging in from scratch, and when I enter my Google account, it doesn't do anything other than continue giving me errors about the frame being sandboxed. The threads here and here don't seem to address the issues as they're talking about iframe within the app, whereas I'm trying to use the sidebar in Sheets itself.
The app and the add-on are using the same GCP Project ID.
I need to get the same BearerToken that the app uses to use in the add-on.

Google Script in Google Sheet - Make copy of sheet loses permissions

I have a google sheet that has a script embedded.
In the script > resources > cloud platform project, I have added and linked a project to this script to enable the APIs. This works great in the current Google Sheet.
Challenge:
When I make a copy of the Google Sheet the Cloud Platform assigned project is lost and it requires users to enable these permissions again.
Is there a way to prevent this from happening? Am I missing a setting?
What you're trying to do is not possible. Even if you try making a copy of a standalone script that has a GCP project associated, you will get the same functionality (no GCP project associated).
Also, it makes sense that each new user that runs the script has to explicitly authorize the APIs to make changes in their files, send emails on their behalf, or what have you. It's a basic step in the 3-legged OAuth 2.0 workflow, and it can only avoided if you use a Service Account.
So in your situation, I would just use Advanced Google services, even if each new user has to grant authorization. In the end, the appropriate advanced services are automatically enabled in your copied project; users don't need to enable them manually, only grant them authorization.
Reference:
https://developers.google.com/identity/protocols/OAuth2
https://support.google.com/a/answer/2538798?hl=en

How do I track down a Google Apps Script project from a Google Cloud project ID?

How do I track down which Google Apps Script project "Project-id-19735......6273" actually is?
I've tried pasting it into the Cloud Console URL (https://console.cloud.google.com/home/dashboard?project=Project-id-19735......6273) but that doesn't bring anything up. I think this technique is working for projects I own, but not ones shared with me.
This is further to the email notifications we’ve been getting about this updated OAuth on the GMail API and discussed further here.
Unless the owner of the GCP project explicitly grants your google account the appropriate permissions from the Cloud Console you won't be able to access the GCP project bound to an Apps Script project that's been shared with you.
The Apps Script project and GCP project are related but they are NOT one-and-the-same. The GCP project is more of a container and can actually reference multiple Apps Script projects. Each Apps Script project is basically a web app, with its own Client_ID and Client_Secret. That's why you can use ScriptApp.getOAuthToken(); authentication and authorization are handled internally (the GAS editor handles oauth scopes based on usage context or what you define in the manifest JSON).
I'm guessing here, but I suspect that the owner of the GCP project would have to navigate to the IAM (Identity & Access Management) page for the project and add you as a user with read/edit permissions.

Is there a way to build an Google Apps Script application that uses BigQuery Service as a service account instead as a user?

What I trying to do here is an application that connects to bigquery, executes some query and writes a spreadsheet in current user's Google Drive.
I know that I can change the "Execute app as" option when deploying the app. But when I do this, and the user try to use the app, Google asks for permission to access the BigQuery.
I do not want to give permission to each user to access BigQuery.
We have about 50 ~ 100 users who will use (and this number can increase)
Some images:
When access the application's url: http://i.imgur.com/kGzJ3ps.png.
When the user clicks in the "continue" button:
http://i.imgur.com/4cRmhZ6.png
Hope I've been clear.
You would probably need an App, that had people sign in with their Google account using oAuth2
Google Accounts Authentication and Authorization
I think that this link gives an overview of what your options are:
Permissions and Types of Scripts
I guess you would need to have an App, that ran as User at the keyboard, so that the spreadsheet saved to their Google Drive. If you wanted the user to be able to download a file to their computer drive, that's a little different.
Just use HTML Service. It's basically just building a website. You just don't have a domain name. But the spreadsheet you are distributing doesn't have a domain name.
HTML Service Google Documentation
From an Apps Script HTML Service, you can write to Spreadsheets, Documents, and run HTTP Requests (urlFetch).
URL Fetch Service
The permissions in the Apps Script App can be set to run the Apps Script file as yourself, with access to anyone, even anonymous. That way, the user will never be asked for permission for any files that you own. You will need to authorize it once, the first time any script that needs access to your files is run.
Because anyone could run your Apps Script App, you might want to have a log in system to authenticate users.
You would need to use the Big Query API with Apps Script urlFetch to access Big Query.
So, with the HTML Service, you can do most everything you could do with HTML, CSS, and Javascript on a regular website. You can create custom input forms, have different pages and display data in tables. Plus it's served over HTTPS.
One solution that you can use if you don't want all your users to enable BigQuery is to use a webapp deployed as a service running as "you" and that will respond to an urlFetch coming from each user through the script they run as "themselves".
This service will be deployed as any other webapp using a doGet main function and return its data using contentService
Yes, that is possible. Check out this answer here: Using Advanced Google Services with Service Account and also check this awesome library: https://github.com/googlesamples/apps-script-oauth2