Is there a way I can remove data from a Service account created for a Project for Drive API since this is hitting the storage limit. Can I transfer the data to another non service account, Or can I substitute this service account for another? so I can keep using my project or shall I create a new project and integrate it with a new Service account?
Possible solutions seem are described on these other questions, but I´m not sure yet about the solution.
Google Drive Service Accounts Additional Storage
Quota, orphaned files and uploads using service account with Google Drive API
Google Drive API ownership of files uploaded from service account
Google APPs managed "unlimited" account storage quota for service account
Can you please help?
As far as I know, Service Accounts currently cannot purchase additional storage so if you want more storage, you'll need to use a regular Google account instead. Aside from that, change of ownership of service account files is also not possible with Google Drive API.
The only possible option that I found, for now, is to transfer the ownership of the service account file to another account via the app script given in SO post - How to use a service account to transfer ownership of a google file.
After transferring of file ownership, to keep using your project, you can grant owner permission to your service account in the drive file that you need to access by sharing the document.
Solution given by Jalogar in SO post - Drive API access to document with service account might really help.
Related
We have Google Drive account and using Google Console we created Service Admin Account which has access to folders in our Drive. Our Drive storage went out of space so application which was sending new files to Google Drive started to fail with error in the title.
We have added 100GB new storage(on Drive via Google One) but application still fails and responds with this error message.
As far as I investigated Service Accounts only have limited space so this account still has no space left even though my real account has 100GB more.
I tried to transfer ownership of folder in Drive to Service Account but I couldnt because I need to accept that and I cannot log into Service Account.
This project is old and uses google-api-php-client to connect to Drive and do other stuff.
Any help is appreciated!
EDIT: Hitting https://www.googleapis.com/drive/v2/about endpoint with same credentials as Service Account used to send files to Drive gives me this information about quota.
"quotaBytesTotal": "107374182400",
"quotaBytesUsed": "84631990",
"quotaBytesUsedInTrash": "1573901",
Which is not logical to me because there is actually free space to be used.
I have a potential idea on the issue and clarification about the scenario. Based on the fact that you do not have a Google Workspace account to work with the Service account, you could be affected by the recent workflow changes on how the transfer of ownership of files between Google Accounts.
Important notes:
Service accounts are basically Google Accounts with their own default Drive Storage, 15 GB as any free Gmail account.
You cannot increase the storage for the Service accounts.
If you are sending the files to a Personal account, and the new workflow could be blocking it or delaying the process. Which could explain the error of space, it is not the personal account with the extra 100 gb, it is the Service account, because the file never changes the ownership.
There is an Feature request that you can send also the feedback, and a similar scenario as yours has been shared by other people.
The Google Drive API, has updated some of the process but they mostly applied to Google Workspace account, you can review it here.
We use the Drive API in a few scripts to get info on all our Shared Drives. Using the “useDomainAdminAccess” parameter in the drives list/get methods, we can get just about all drive details without adding the script account as owner on the target drives. One detail we cannot get using this method is total drive size. It appears there is no native property for drive size when querying details at the drive level. We can get a size param when querying individual files (but we must add the script account as an owner on the drive).
In summary, to get drive size we must add the script account as an owner on the drive. Then iterate through all files within the drive, getting the size param for each and adding it to a global variable which we return as total drive size at the end of the iteration. After this we remove the script account from the drive. This, of course, seems very inefficient for getting a single property. Do we know if Google plans to include a size param within the drives.list/drives.get api, or add the “useDomainAdminAccess” param to the files.list/files.get api or maybe there is another Google API that can provide this detail with less effort (reporting / gws admin api)? Thanks
https://developers.google.com/drive/api/v3/reference/drives/list
https://developers.google.com/drive/api/v3/reference/files/list
You may benefit from filing a feature request on Google's Issue Tracker and provide all the necessary details there.
I suggest you fill in this template here.
As for an alternative for your current workaround, I suggest you take a look at service accounts and domain-wide delegation in order to impersonate the owner of the drive and perform the request on their behalf.
A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls.
Reference
Service Accounts;
Drive API Perform Google Workspace Domain-Wide Delegation of Authority.
Th company I work for recently switched to using Team Drive and we had multiple applications that would interact with Google Drive using the Google Drive API. The API calls would be authorized using Google Service Accounts and access to specific files would be given to an app by sharing the file with the Service Account email in the same way you would share a file with a normal user. Now that we've switched to Team Drive I'm unable to grant access to the Service Account as the email address associated with it is not considered part of our organization. I've also looked into adding the Service Account as a normal user in our organization through the Google Admin dashboard, but it only allows me to create new users, not include existing ones. The only solution I've found is to enable sharing with external parties which would allow me to share Team Drive files with the Service Account, which would be considered an external party. This solution is risky and incorrect as the applications using the Service Account are part of our organization. We also do not want enable sharing with external parties in general for security reasons.
I've followed the steps described in How to access Team Drive using service account with Google Drive .NET API v3 and they work, but as mentioned above they require sharing with external parties to be enabled which we do not want.
The ideal solution would be for the Service Account to be considered part of our organization, but I cannot find a way to do this.
I've also tried delegating Domain-Wide Authority to the Service Account as described in https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority, but as far as I understand this is not what I want as this will allow the Service Account to impersonate other users, but the reason we have a Service Account is for carrying out processes that happen automatically and which aren't associated with a specific user.
I've also followed the steps outlined here https://developers.google.com/admin-sdk/reports/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account for white-listing a specific API service through the Google Admin Security interface, but this doesn't seem to do anything, and I'm not sure what it is supposed to do as I have already enabled the Drive API for this Service Account in the APIs & Services dashboard where I originally created the Service Account.
We're using R and so I've been using the googledrive package which has functions for working with Team Drives like:
googledrive::drive_find()
googledrive::team_drive_find()
googledrive::team_drive_get(id = "team-drive-id")
I would expect to be able to see the team drive, but I guess this is not possible unless the Service Account email is a member of the Team Drive which is not possible because the Service Account (which is linked to our organization through its owner) is not considered part of our organization.
I had the exact same issue and after trying a lot of approaches, landed on the solution below (++):
Create a group in Google Workspace. You can add any external identity/email to a group, since they can be used for multiple things. So add the role account to this group.
Google has recently come out with "Trust" rules, that allow granular sharing. You can share with a group. So I created a trust rule that allowed sharing of any data source (easier than restricting who can share since file/shared drive ownership affects this rule) to only the group that contains the service account. Now external sharing is permitted, but only to the role account.
Lastly, share the drive with that role account.
++ Note that I also had followed the majority of steps above including the GCP project creation and domain-wide delegation before this portion, but was similarly stuck getting a 403 for access rights.
I have created a web app which is making use of Google Drive API/ REST v2 (https://developers.google.com/drive/v2/web/about-sdk) to perform actions such as create/update/rename/delete of documents etc.
I am authorizing requests with OAuth 2.0 (client side - that means every access token is valid for ~1h and then silently I am getting a new token) and then perform previous actions using that token.
I have a new requirement for the authorized user to share his/her documents for writing/updating them (I found out that API has option for inserting permissions (https://developers.google.com/drive/v2/reference/permissions/insert : role: writer, type: anyone).
Is it possible for a non-authenticated user to be able to write/update documents (programmatically - via Google Drive API v2 or another API?) that have been created from the authenticated user that shared these? (something that is similar to google docs/ sharing when a user is sharing his document and offline users are able to edit it?
Thanks.
Is it possible for a non-authenticated user to be able to write/update documents (programmatically - via Google Drive API v2 or another API?) that have been created from the authenticated user that shared these? (something that is similar to google docs/ sharing when a user is sharing his document and offline users are able to edit it?
What you are describing here is something called a service account. Service accounts are like dummy users. You can share a file on your Google drive account with the service accounts email address and the service account will then have access to that file. Assuming that you gave them edit permissions it will be able to read and write to it without authenticating.
Note: service accounts do not work client sided you will need to use a server sided language to use service accounts.
I 've the follow simple scenario:
a server of my boss
some costumers with google drive accounts
so I'd like to transfer daily some files to costumers google drive...
My question is: if a customer have pc disconnected or is not logged to my site is possible from my server upload a file into costumer google drive?
And if yes there's a limit of user or daily transfer?
p.s.
better if I can use A Google Drive spreadsheet and update data
thanks
Yes it is possible, but there are many steps in between.
1.- You would need an application, so you can perform this operations through your app. check the documentation.
2.- You would need to set the offline access, this way you will be able to upload files even if the user is not logged. Oauth Offline access.
3.- The users (customers with Google Drive account) will have to authorize your application to access their Drive accounts. After this you will be able to get an access token and a refresh token.
4.- With the refresh token you can refresh the access token (it expires after an hour) without having the user to login again and get a new access token. (you have to store this refresh token)
5.- Now you can call the function Drive.Files.Insert in order to upload a file into the customer's Drive. When calling this function you need to provide the access token related to the user.
6.- There are limits that apply to the API. These quotas are against the application. If you make too many calls to the API, you may reach these limits for your application. You can check these limits in the Developer Console of your application.
I hope this helps. I know it's a lot of information but is the procedure you need to follow.