I want to enable domainWideDelegation of Service account details through api call.
I tried https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts/patch
but it doesn't support domainWideDelegation parameter in payload.
Can anyone suggest, how to modify domainWideDelegation through api calls?
refer this image
Related
I want to use "Http Request Headers" to connect to BigQuery without using Urlfetchapp.
I want to authenticate my service account with the BigQuery-specific library that AppsScript provides.
I want to rewrite this code to accept headers(without using Urlfetchapp)
BigQuery.Jobs.query({
query: " SOME QUERY; " ,
useLegacySql: false
}, projectID);
This page has the specs, but I couldn't figure it out.
https://developers.google.com/apps-script/guides/services/advanced#how_method_signatures_are_determined
Unfortunately, that's not possible. Both the built-in and advanced services in Google Apps Script leverage user-specific account credentials. There is no way to modify those services to use a service account.
To use service accounts, you'll need to generate those credentials yourself (JSON Web Token keys) and use them to create access tokens to authorize your queries against the BigQuery API (via UrlFetchApp.fetch()).
However, Eric Koleda's OAuth2 library does support the two-legged OAuth flow required by service accounts and therefore removes the tedium of implementing it for yourself.
Here's a link to the documentation on how to use set-up a two-legged OAuth flow for service accounts using that library:
Using Service Accounts
That should be enough to get you moving in the right direction.
URLfetchapp is used to issue HTTP and HTTPS request and response headers, so to connect BigQuery with GAS with request headers, URLFetchApp has to be used using URLFetchApp.fetch method as mentioned in the documentation.
Moreover for authenticating the service accounts, you can use OAuth2 for Apps Scripts which uses access tokens for authorization. You can check the setup process in this link. For using OAuth2 with a service account, you need to create a service account and also need to create a JWT(JSON Web Token). You can request an access token from Google which can be used to make API calls. For more information, you can check this documentation.
I'm designing a google apps script that is linked to a bot that needs to add and delete events to a specific user's calendar. I need to find a way to do this without giving edit access to all people with access to the script. I was thinking of using the calendar api but that uses oauth2.0. Is there a way to use an api key instead? Another option I was considering was using a service account with domain-wide delagation, but I don't if it's possible to do what I want with it. Any ideas would be helpful.
This is a little advanced, but fesable.
You need to use the Calendar API with a service account and domain-wide delegation and OAuth2. I have described the process in this story on Medium (make sure to read through all three examples), however the steps are pretty much as follows:
Create a service account
Download its JSON key
Enable domain-wide delegation
Impersonate a super-user
Create token with OAuth2
Send request to the Calendar API with Bearer token generated with OAuth2
The "Find and delete malicious emails" page in the Google Workspace Admin Help Center states:
Using the investigation tool, you can identify all users in your domain that have received the message (for example, a phishing email). You can then use the investigation tool to delete the email from your users' Gmail inboxes (note that log data might take up to a few minutes before being available in the investigation tool).
From this, I understand that, assuming you have the right package, it is possible to use the investigation tool to delete the unwanted email from your users' Gmail inboxes.
Can I delete emails from my users' Gmail inboxes via Google App Script using the API? If so, how can I do that?
Currently it is not possible with the Investigation tool
But there is already an existing feature request for exposing the Google Workspace Investigation Tool programmatically.
I recommend you to "star" it to show Google that more people are interested in this feature - hopefully this will accelerate the implementation.
UPDATE:
In th meantime you can use a workaround, e.g. using a service account with domain-wide delegation as suggested by #TheAddonDepot
It is possible via DwDg(domain-wide delegation)
You have to create a service account and delegate domain-wide authority to that service account with the appropriate scopes. There are no explicit instructions for the Gmail API but you can use this guide from the Admin Directory API documentation.
You then use the service account credentials with the GAS OAuth2 Library to make calls on behalf of your existing users to the Gmail API. Note that you can't use the built-in or advanced services for Gmail, you'll have to call out to the Gmail REST API directly via UrlFetchApp.
We have already successfully configured the API Key but we keep getting the error error See You have exceeded your request quota for this API. Do I need to enable the billing for this?
This is the link that has error
Upon checking the site, the error was related to having no billing account, to fix the issue, kindly create a billing account in your GCP Console and associate the billing account to your project where the API key you're currently using belongs. After associating a billing account, your map should be working fine.
In addition, please note that you can only call a single API request if you don't have a valid billing account associated to your project.
As a Reseller, is it possible for me to leverage Service Account to call Reseller API and Directory API to create new domains and manage user accounts under them without requiring user interaction/login/consent?
The End-to-End tutorial for Reseller API (https://developers.google.com/admin-sdk/reseller/v1/codelab/end-to-end) suggests it is possible. I could create a service account under my Reseller domain. Using this service account, I can impersonate a super user admin under my Reseller domain and can achieve the above.
On the other hand, when I read through the article on Authorizing Requests (https://developers.google.com/admin-sdk/reseller/v1/how-tos/authorizing), it mentioned that "All requests to the Google Apps Reseller API must be authorized by an authenticated user", which seems to suggests that some form of consent is required. Further, it doesn't mention that service account is supported.
I tried to search for similar topics in the forum and I am seeing somewhat conflicting responses. The answers range from "yes, this works" to "service account not supported with Reseller API" or "API access must be manually enabled in each resold domain".
Thanks!