I'm seeing a large number of GCP projects being created by serviceAccount:appsdev-apps-dev-script-auth#system.gserviceaccount.com, following invocation of Apps Scripts.
I'd like to control or block such project creation.
What are the right ways to accomplish that?
That's not possible. Quoting GCP Projects's documentation:
By default GCP projects have an Identity and Access Management (IAM)
policy with one entry, a Google service account that acts as the owner
of the default project. The Google service account is
appsdev-apps-dev-script-auth#system.gserviceaccount.com.
Also:
Every Apps Script project uses the Google Cloud Platform to manage
authorization, Advanced services, and other details. To configure and
manage these settings, every Apps Script project has an associated
Google Cloud Platform project (a GCP project).
You can use a default GCP project or a standard project created by you, but the Apps Script project does need a GCP Project.
Moreover, since April 8, 2019 it's not possible to access the default GCP projects created for Apps Script projects unless they are older.
Related
I have an app script linked to a spreadsheet that has a few functions to automate some processes for users. I recently updated the project to be linked to a standard GCP project I created so I could create OAuth credentials for an unrelated process in this script. However, now when users go to run the functions, they get a 403. Is there a place in the GCP console where I can give them access? I am not using any OAuth credentials for these functions. Just the standard app script interactions with the Google Sheet.
I think when you move to GCP you are required to use OAuth and they have to enter their credentials again. Found in the docs.
You have to configure the OAuth Consent Screen as is explained in the official docs about link a Google Apps Script project to a standard Google Cloud Project --> https://developers.google.com/apps-script/guides/cloud-platform-projects
I noticed that the GCP projects created by default when creating a new script are not deleted from the GCP Console when the app script files are placed in the Drive recycle bin.
Have you ever encountered this problem?
As I develop many scripts, I reach the quota limit ...
On the other hand, I wanted to do a manual cleanup but I cannot find the gcp project ID in the applications script file. Do you know a solution?
After looking at some documentation I found the following solution:
Copy the App Script folder id on Google cloud resource manager
Open the Cloud Shell using the top right terminal icon.
Then list all the project under your App Script folder
gcloud projects list --filter='parent.id=APPS_SCRIPT_FOLDER_ID'
Then delete all projects one by one
gcloud projects delete PROJECT_ID
Now you can delete the App Script folder in Google cloud resource manager.
Be sure you have the Organization Administrator, Folder Admin, and Project Deleter roles under IAM > permissions of the main project.
According to the official documentation:
When a new Apps Script project is created, a default GCP project is
also created behind the scenes. This GCP project is hidden, meaning
most users aren't able to directly locate, view, or update the project
in the Google Cloud Platform Console. However, admins and domain users
that have the resourcemanager.projects.list permission on the
parenting GCP folder are able to view and configure default projects.
My interpretation on this is that you can't locate, view or update the GCP project unless you have resourcemanager.projects.list permission on the parenting GCP folder are able to view and configure default projects.
The solution would be to contact the administrator to further help you on this issue.
Here you may find the list of GCP projects that you have access to modify, delete or view:
https://console.cloud.google.com/cloud-resource-manager
Since you don't have access to the organization directory which contains your GCP projects, you might be seeing this message:
Related article:
Google Cloud Console Quotas You don't have permissions to perform the action on the selected resource
2 strange things happen on my hand :
1 - As administrator of my organization, i can see into the gcp admin console the ressources folder managed by Apps script named "system-gsuite\apps-script". Or regarding the official Apps script Guide i should not :
2 - This folder contains many apps-script projects, even apps script files that have been already deleted ?! But the official documentation noticed that they should be removed but htis is not my case ...
My team is trying to apply modern software engineer techniques in developing an editor add-on for Google Spreadsheet.
With clasp, typescript, jest, git, GCP and CircleCI we were able to achieve:
local development with our preferred source code management;
unit testing/tdd on our domain rules;
manage add-on versions by clasp;
observability with Stackdriver on GCP;
with CircleCi, we create a pipeline that executes unit-tests, makes clasp push and versions the add-on with the commit hash as a description.
In addition, through Google Marketplace SDK, the add-on has been distributed privately in our domain, therefore it doesn't need Google approval.
The point is: we're looking for a way to add a step in our pipeline to, programmatically, update and manage our published add-on.
e.g.: after the generation of a new version with clasp, how to put it in the App Configuration on GCP?
gcp app configuration page
In the documentation there are only manual steps.
Thank you all =)
At some time in the future, it may be possible to use the:
G Suite Add-ons Cloud API
to automatically "deploy" an add-on.
https://developers.google.com/gsuite/add-ons/guides/alternate-runtimes-overview
But I'm not sure what a "deployment" includes.
I'm not sure if there is a way to do this through the Google Cloud Deployment Manager:
https://cloud.google.com/sdk/gcloud/reference/deployment-manager
https://cloud.google.com/deployment-manager/docs
I don't see a gcloud command category for the G Suite Marketplace.
The G Suite Marketplace SDK is solely a Web Based UI tool. And even though there is a G Suite Marketplace API, it has no capability to create or update an editor add-on listing.
https://developers.google.com/gsuite/marketplace/reference/rest?hl=en_US
There are aspects of the Cloud Project that the editor add-on is attached to, that can be programmatically managed through gcloud commands, using the G Cloud Projects tool. For example, you can set and update whether a user has permission to do certain things with the Cloud Project. But all of those things are in a different category than publishing a G Suite Marketplace editor add-on.
https://cloud.google.com/sdk/gcloud/reference/projects
The Cloud Project that the G Suite Marketplace SDK is associated with doesn't directly control the G Suite Marketplace SDK.
I would look at the Google Cloud Deployment Manager to see if there is a way to do this. Other than the Google Cloud Deployment Manager, I haven't discovered any other leads that look hopeful.
I'm updating an app on G Suite Marketplace SDK. It used to work by just changing the script version at the "App Configuration" Tab, and click Save.
Now it posted a warning at the top of the page saying:
Your account does not belong to the same domain as this cloud project or app
and the Save button is grey and not clickable.
Error image can be seen here:
What is the issue and where should I go to check and verify the domains?
Terms:
GCP - Google Cloud Platform
Apps Script project - Your Apps Script file
Your Google Cloud Platform (GCP) project that is associated with your Apps Script project is in a default category of "No organization." That's the problem.
If you already have an organization set up in your GCP, then skip down to the "Migrate your Cloud Platform Project" section below.
If you have not created an organization in your Cloud Platform project, then you need to do that. After creating an organization, you must migrate the Cloud Platform project for your add-on in "No organization" to your Organization.
Your organization is your "company."
Your Google Workspace account (formerly G Suite) can only have one Organization provisioned with it. You probably have Cloud Platform projects that were automatically put under the "No organization" category. If you already have an Organization in your Cloud Platform project, then you won't see an option to create another one.
Create an organization in Cloud Platform Project
Migrate your Cloud Platform Project:
Open the Cloud Platform Project for your add-on
Open IAM & Admin
Click Settings
Click the Migrate link
Choose the organization to migrate to
Click the button:
Wait for confirmation that the migration happened
I migrated a Cloud Project for an add-on without any problem. You can also change ownership of a Cloud Project from one Google account to another Google account.
My assumption is, that the Cloud Project isn't affected by migrating it because it's basically running independently from whatever account or organization it's associated with.
The only way to know that for sure is if someone from Google provided an answer, but the only way to get support for Cloud Projects is to buy a support plan, and the least expensive one is $100 dollars a month per user.
Google Cloud Project support plans
Technically, Apps Script is not supported by Google, and there is no Google contact person to get answers from.
With the Google Workspace Marketplace SDK, you must associate an Apps Script project with the Cloud Platform project. If you changed ownership of the Apps Script file that the Google Workspace Marketplace SDK was associated with, then there would likely be a problem.
You'd need to make sure that whoever owned the Cloud Platform Project also owned the Apps Script file. If the Apps Script file was deleted, then that would kill the add-on.
I run into this issue and I share what I did that is a bit different of previous answer.
I have a Gmail account that manage the Apps Script and also have a workspace domain. When the first time I publish the app I move the GCP project created in my Gmail acocunt to the GCP Oragnization of my domain. Previously it never generate problem but today I have the eror message
Your account does not belong to the same domain as this cloud project or app
What I did :
On the workspace domain with the super admin account that have the GCP Organizaional Owner role I added my Gmail account as Oragnization manager
Organization Role Administrator
=> It does not work.
So I finally added my domain account as owner of project and it works.
It seems something change in the Marketplace Workspace SDK management and if a project belong to an organization, now you can no longer modify Marketplace item with a Gmail account.
I want to create multiple copies of google script files using same advanced services, also must enable API at Google developers console.
When I save as new copy, API at Google developers console for the copy doesn't auto-enable.
Because I need a lot of copies so I can't enable API manually for all.
I also tried creating a script as a library to access advanced services, enable API for it. Then other scripts call to the library function. But when I run, every script show message that I need to enable services and API itself.
Is there any solution for this?
You cannot enable APIs for a Google Apps Script project programmatically. When you create a copy of a Google Apps Script project, a new Google Cloud platform project is created.
Even if the advanced Google service settings are copied when making a file copy, the APIs in the new Cloud Platform project must be manually enabled.
This is no more the case with "default" GCP projects.
When you enable an advanced service for your script project in the Apps Script editor, it is automatically enabled in the default GCP project when the script project is saved.
Contrasting with "Standard" GCP project:
When you enable an advanced service in a script project, you must manually enable the corresponding API in the standard GCP project.
However in both cases, the advanced service needs to be enabled.