Google Script in Google Sheet - Make copy of sheet loses permissions - google-apps-script

I have a google sheet that has a script embedded.
In the script > resources > cloud platform project, I have added and linked a project to this script to enable the APIs. This works great in the current Google Sheet.
Challenge:
When I make a copy of the Google Sheet the Cloud Platform assigned project is lost and it requires users to enable these permissions again.
Is there a way to prevent this from happening? Am I missing a setting?

What you're trying to do is not possible. Even if you try making a copy of a standalone script that has a GCP project associated, you will get the same functionality (no GCP project associated).
Also, it makes sense that each new user that runs the script has to explicitly authorize the APIs to make changes in their files, send emails on their behalf, or what have you. It's a basic step in the 3-legged OAuth 2.0 workflow, and it can only avoided if you use a Service Account.
So in your situation, I would just use Advanced Google services, even if each new user has to grant authorization. In the end, the appropriate advanced services are automatically enabled in your copied project; users don't need to enable them manually, only grant them authorization.
Reference:
https://developers.google.com/identity/protocols/OAuth2
https://support.google.com/a/answer/2538798?hl=en

Related

Apps Script (Google Sheet) not allowing me to Run Script

I have a fairly simple dataset in a Google Sheet. I created an AutoSort script. I saved it, and when I click "Run," I get the following errors. One from a pop-up, and another from the Execution Log.
Pop-up error:
Authorization required
This project requires your permission to access your data.
*For this error, there is a button to "Review Permissions" and I log in using my google account and then just nothing happens.
Execution Log error:
Warning This project requires access to your Google Account to run. Please try again and allow it this time.
The Owner of this Google Sheet is my personal Gmail account, and I am making these edits and created the script using my business Gmail Admin account. I also tried to access this sheet and run the script USING my personal Gmail account, and received the same error:
Google hasn’t verified this app
The app is requesting access to sensitive info in your Google Account. Until the developer ({mypersonalemail}#gmail.com) verifies this app with Google, you shouldn't use it.
Any insight as to how I can authorize this would be appreciated. It sounds like something small I'm missing.
Also, in my personal email I receive a message with subject:
Review edits to your Apps Script project within your document
and it allows me links to access the worksheet and the script, but I don't see any way to approve the edits, or anything like that.
Expected behavior: What I am expecting is for the script to Run, when I click "Run."
It's not a good idea to mix accounts from different domains, specially when using a free account and a Google Workspace account like you have done because that is the cause of the situation that you are facing.
My hypothesis is that the Google Cloud default project linked to the bounded script is created with the account used to create the project.
If you need that you personal account be the spreadsheet owner the best is to create the script using the personal account, and when needed, create a Google Cloud Standard project (GCSP) using the the personal account. You might try to fix the problem with your spreadsheet and the current Apps Script project by creating a GCSP, as was mentioned previously, by using the account that is the owner of the spreadsheet and linking it to the Apps Script project.
Note: If your script is using sensitive scopes you might have to set the OAuth Consent Screen publishing status to tes and add your Google Workspace account as tester.
Ref: Setting up your OAuth consent screen
Once you have finished the setup of your Google Apps Script project you should be able to use your Google Workspace account to update and run the Apps Script code but any new deployment and new version should be done using your personal account.
If you have access to Shared Drives and are allowed to use them for your spreasheet, consider to move it to a Shared Drive as this will make a lot easier to manage your script.

Unable to open Google xlsx spreadsheet / Also Google Drive permission Blocked

I have a Google Apps Script that I am currently using to successfully open a Google Sheets spreadsheet (read-only shared with my account) and perform some reading functions.
I received another spreadsheet that I would like to run similar processes on.
If I try:
SpreadsheetApp.openById("_______") (which works on the other sheet), I get Exception: Service Spreadsheets failed while accessing document with id _____" with this sheet. This spreadsheet is actually an xlsx on Google Drive (but appears it can still open in Google sheets) rather than a native Google sheet so I figured maybe that was the issue...?
So now I'm trying to instead access it as a Google Drive file using DriveApp.getFileById("____"). However now I get an authorization request to allow my script to access Google Drive. When I authorize it, I get:
This app is blocked
This app tried to access sensitive info in your Google Account. To keep your account safe, Google blocked this access.
I haven't found a way to fix this. I'm on a private Google account, not using a company's Apps.
Any ideas?
Found a solution to the permission issue.
To work with Apps Script, I've modified this from #alper's solution which sources #tellowkrinkle's comment.
Do the following:
Go to https://console.developers.google.com and create a new project for yourself
Search for the Google Drive API in the search box at the top, and turn it on
Click OAuth consent screen on the left and set it up.
Assuming your account isn't part of an organization, you'll have to say your app is for external users and in testing
In the required scopes section, add .../auth/docs and .../auth/drive (I'm not sure which needed, it's probably only one of those). This will probably not be available if you didn't complete (2)
Add the accounts you want to use with your copy of gdrive as testers of your app. Only these accounts will be able to use your copy of gdrive, so everyone will have to compile their own (unless someone goes and gets theirs reviewed by Google). I only added my own account because I am the only one using my App Script which uses my Drive.
Click the 3 dots on the top right and select "Project settings". Make note of the "Project number".
Go to your Apps Script. Go to Resources > Cloud Platform project. Insert the project number from (4).
Next time you try to run your Apps Script, you'll be asked to Authorize but this time you'll have the chance to actually do it successfully.

Publish as a private add-on to avoid granting permission on copies of gsheets

I have a similar question to both of the questions below. I have a script bound to a google sheets, and I use this sheet as template. However I'm looking for an option to not have to grant permission each time I copy the file.
From reading the answers in the questions below, I understand I have to publish a standalone script as an add-on.
However, reading this answer, I see that I need to create a Cloud Platform Dashboard and all bunch of stuff which looks pretty messy to me, such as google reviewing process. Again, it is only for personal use...
Is there a way I can privately publish it as an add-on, without having to go through all the process?
Thank you
What is the best way to create Container-bound Scripts that can be cloned?
Grant permissions on open for first time for a bound script in Google Sheets
If you don't want spreadsheet hook triggers like onEdit or button or anything else, You can use a standalone script.
A standalone script can be written, which loops through your spreadsheets doing what's needed based on a time trigger.
Adding to the already existing answer
Publishing a private add-on does not require going through the Google Review process, especially since it is for personal use only.
Therefore, the situations below do not require verification:
If you want to deploy the add-on solely for internal use which means that the add on will be used only by people in your Google Workspace or Cloud Identity organization.
If you want to use the add-on domain wide which means that the add on will be used only by Google Workspace enterprise users within the domain.
For the whole list of exceptions from the verification process, you can check this here.
Reference
OAuth API verification FAQs.

How do I track down a Google Apps Script project from a Google Cloud project ID?

How do I track down which Google Apps Script project "Project-id-19735......6273" actually is?
I've tried pasting it into the Cloud Console URL (https://console.cloud.google.com/home/dashboard?project=Project-id-19735......6273) but that doesn't bring anything up. I think this technique is working for projects I own, but not ones shared with me.
This is further to the email notifications we’ve been getting about this updated OAuth on the GMail API and discussed further here.
Unless the owner of the GCP project explicitly grants your google account the appropriate permissions from the Cloud Console you won't be able to access the GCP project bound to an Apps Script project that's been shared with you.
The Apps Script project and GCP project are related but they are NOT one-and-the-same. The GCP project is more of a container and can actually reference multiple Apps Script projects. Each Apps Script project is basically a web app, with its own Client_ID and Client_Secret. That's why you can use ScriptApp.getOAuthToken(); authentication and authorization are handled internally (the GAS editor handles oauth scopes based on usage context or what you define in the manifest JSON).
I'm guessing here, but I suspect that the owner of the GCP project would have to navigate to the IAM (Identity & Access Management) page for the project and add you as a user with read/edit permissions.

Maintaining enabled APIs in Container-bound Script for a Google Sheet Template

I have a Google sheet with a Container-bound Script that makes Google Classroom API calls. I have added the spreadsheet now as a template for all teachers in my organization to copy the sheet and use it for themselves.
However, when teachers copy from the template, a new project is created in Google Console with no enabled APIs for that new project. They would have to go into the developer console and enable Classroom API for it to work....
No! This is way too much of a hassle for my fellow teachers! There has to be a better way. What am I doing wrong? How can my script keep the API calls enabled for all copies of the spreadsheet? Do I need to publish my script in a particular way or set up my project in a particular way? Whats the right approach here, guys?
This error when using the script in a copied spreadsheet. But of course, works fine in the original template file.
Google Classroom API has not been used in project project-id-xxxxxxxxxxxxxxx before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/classroom.googleapis.com/overview?project=project-id-xxxxxxxxxxxxxxxx then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
You should publish your script as Sheets Add-on: https://developers.google.com/apps-script/add-ons/
This gives you next benefits:
when spreadsheet (with enabled add-on) is copied, there's no need to manually enable APIs, they are stay enabled;
when you update code of your add-on, it is automatically updated for all spreadsheets where it was enabled, so you don't have to copy your changes manually.