I wrote a script that uses a service account and OAuth2 for Apps Scripts to disable auto-forwarding and enable IMAP on a domain user's gmail settings. The script works.
However, when I change the user's password. It stops working and gives me response code 401.
From other other question, suggested that I re-authorize the scripts. Reauthorize permissions to Google apps script after password change
How do you manually re-authorize the script?
I see the user's "access_token" for the Gmail API in the Script properties but not sure how to change it.
Normally a service account is independent of the user changing their password. This has always been one of the key points of service accounts and Oauth2 even if the user changes their password you will still have access.
However this no longer works for some of the Google apis. Gmail is one if them if the user changes their password then the access token and the Oauth2 refresh token will no longer work until the user reauthenticates the application.
I have a couple of super-simple projects, each one is just one file a few lines long, so my guess if yours is more complicated is you should probably open whichever file gets executed on triggers or whatever).
Anyway after I changed the password on my Google account those scripts kept failing. What worked for me was:
Go to the Google Apps Script homepage
For whatever projects are failing, open the project and then open the main/only source code file (depends on if your scripts are more complicated than mine)
In the editor, just click Run at the top. That should trigger an OAuth request saying it needs permissions for your account blah blah blah. Obviously, give it access.
Either sit back with beverage of choice (if it works now) or bash head against keyboard (if it didn't fix it).
I have no idea if you'd have to run other script files in the editor, but can't hurt, right? Unless your script is designed to hurt.
Related
I have a fairly simple dataset in a Google Sheet. I created an AutoSort script. I saved it, and when I click "Run," I get the following errors. One from a pop-up, and another from the Execution Log.
Pop-up error:
Authorization required
This project requires your permission to access your data.
*For this error, there is a button to "Review Permissions" and I log in using my google account and then just nothing happens.
Execution Log error:
Warning This project requires access to your Google Account to run. Please try again and allow it this time.
The Owner of this Google Sheet is my personal Gmail account, and I am making these edits and created the script using my business Gmail Admin account. I also tried to access this sheet and run the script USING my personal Gmail account, and received the same error:
Google hasn’t verified this app
The app is requesting access to sensitive info in your Google Account. Until the developer ({mypersonalemail}#gmail.com) verifies this app with Google, you shouldn't use it.
Any insight as to how I can authorize this would be appreciated. It sounds like something small I'm missing.
Also, in my personal email I receive a message with subject:
Review edits to your Apps Script project within your document
and it allows me links to access the worksheet and the script, but I don't see any way to approve the edits, or anything like that.
Expected behavior: What I am expecting is for the script to Run, when I click "Run."
It's not a good idea to mix accounts from different domains, specially when using a free account and a Google Workspace account like you have done because that is the cause of the situation that you are facing.
My hypothesis is that the Google Cloud default project linked to the bounded script is created with the account used to create the project.
If you need that you personal account be the spreadsheet owner the best is to create the script using the personal account, and when needed, create a Google Cloud Standard project (GCSP) using the the personal account. You might try to fix the problem with your spreadsheet and the current Apps Script project by creating a GCSP, as was mentioned previously, by using the account that is the owner of the spreadsheet and linking it to the Apps Script project.
Note: If your script is using sensitive scopes you might have to set the OAuth Consent Screen publishing status to tes and add your Google Workspace account as tester.
Ref: Setting up your OAuth consent screen
Once you have finished the setup of your Google Apps Script project you should be able to use your Google Workspace account to update and run the Apps Script code but any new deployment and new version should be done using your personal account.
If you have access to Shared Drives and are allowed to use them for your spreasheet, consider to move it to a Shared Drive as this will make a lot easier to manage your script.
Our organization uses Google Apps for Work. We have a Google Sheet "form" for employees/users to complete. After entering information, users are expected to use email as attachment/PDF. Finally, users click a "button" near the bottom of the sheet that triggers a script to clear user data. The first time a user clicks the button, an "Authorization Required" prompt appears, informing the user "the application" (script) "needs authorization to run." If approved, the prompt goes on to request View and manage your spreadsheets in Google Drive permissions for the script.
Is it possible to digitally sign or otherwise pre-approve a Google Apps Script for all users in a Google Apps organization so this prompt doesn't appear? We can/will include instructions for users, to head off questions / allay fear, but many of our users will either ignore or not understand the instructions and be perplexed.
I'm open to (and exploring) other options for tackling this (Google Forms/Sheets?), but prefer to stay in the (native) Google Apps environment as much as possible.
I couldn't find this question elsewhere and as best as I can tell, it isn't answered in Google Apps Script documentation.
I have found no way to pre-approve an organization/group/individual without manually doing it for each account.
You CAN deploy the script using a service account and have it run as that account. Then you are authorizing that account and the end user's accounts do not come into play. The drawback is that if you want the emails to go out using the end user's email, it won't happen. Plus the sending of the email would have to be from code in the app. That means all emails would go out using the service account's email address. (Although I am now wondering if it is possible to initiate the email without sending it. Basically pop it up as if a mailto link was clicked.)
You also will not be able to get the end user's name, etc. If these items are not important, or you can trust them to fill out their name where it may be needed (you could change the From name to what they key in) then running as the service account may work for you.
Karl
I made a google script in a spreadsheet that responds on form submit. It modifies the files, makes a pdf and emails that pdf to specific people. This was made for someone else and then I transferred ownership. However, the edits to those files and emails sent, still appear under my email. How do I completely transfer the folders and everything in them a different user on the same domain so that they are the ones sending emails and modifying files?
You need to go into the script and add a function that calls ScriptApp.invalidateAuth https://developers.google.com/apps-script/reference/script/script-app#invalidateAuth() then call any function like doGet using the new account to reauthenticate
How do I completely transfer the folders and everything in them a different user on the same domain
When you transferred ownership of your files & folders, everything in them did get transferred.
... so that they are the ones sending emails and modifying files?
However, the TRIGGERS that you had set up previously belong to your account, not to the associated scripts.
You have a couple of options for stopping those triggers from running as you.
Disable specific installable triggers.
If you still have access to the offending script, open it in script editor, go to resources > Current project's triggers, and disable the triggers. Done.
If you don't have access to the script anymore, open the script editor on any of your scripts, go to resources > All your triggers, and disable the triggers if you can identify them. This can be challenging if you use the same names for trigger functions in multiple scripts, as there is no indication here of which script they came from.
De-authorize the offending script.
As Zig's answer describes, if you still have access to the offending script, you can add a function to revoke authorization, and run it from your account.
Alternatively, you can see all scripts that you have authorized, and revoke access directly. Go to your Account Settings page, and select "View all" under Connected apps and services, or use this link.
Select the offending script, then click "Revoke access". Done!
To get the script running under the new owner's account, you need to repeat whatever steps set it up for you, including authorization from their account.
Is there a way to delay the Authorization Dialog in a stand alone Google Apps Script?
I have a public script that needs to be granted several permissions from the active Google user. I want to tell the user how the script works before asking for all those permissions.
It is not obvious why I need access to all the services, so this dialog looks scary :
https://developers.google.com/apps-script/scripts_google_accounts#grantingAccess
My script is a "web app' with the UI Service so the first thing to be displayed comes from doGet(), but the permission dialog opens first. Isn't there a way to delay the dialog until the permission is actually needed ?
One possible way would be to call the script from a dedicated website I suppose, but that's not simple.
One workaround is to have two web apps:
The first is an 'intro' web app that runs using your account, so it doesn't prompt the user.
Then, you redirect them to a second web app that runs using their account, which will prompt them.
In my organizzation, I created an internal site with a script callable from different pages inside that reads / writes data from various spreadsheets and send mail.
For testing, I shared the site and documents with a my colleague but he can't run the scripts because appears page to request permission:
"... This script is Requesting permission to do potentially harmful operations. Only authorize the script if you truly trust the author!"
if my colleague click on "authorize" nothing happens.
I give to my colleague the link of the script (not the page that embeds the script), clicking on "authorize" he received a long email from google where it is explained that authorized the execution of the script but instead continues to not work ..
The one way to allow the execution of script is to run the script directly from the editor to grant permissions.
I can't do it for other colleagues!!!
I'm really unhappy about this. I worked a lot on the script but now I realize that I can't do it to my colleagues for another google's big bug.
I have a script that uses also spreadsheet and mail service and I have not any difficulties with authorizations ...(after the red screen is approved user have full access to the app)
Are you sure there is not something else that could prevent your script to work with other users ? A document that is not shared or a call to an external api or whatever ? All I can say is that the current procedure is far more convenient than it used to be a few month ago and that I see not bug on that just now...
In my experience with scripts in spreadsheets, new users have to run the script, authorize it, and run it again.