Google spreadsheet script authorisation to BigQuery - google-apps-script

I have a Google spreadsheet with a script that connects to BigQuery (using this tutorial - https://developers.google.com/apps-script/advanced/bigquery?hl=ar-AE).
It adds an extra menu option and users can run the script that executes a query to BigQuery.
It works fine for me and I want to share this spreadsheet with other users (who don't have access to BigQuery itself) and allow them to run my script. When I do it, first they get script authorisation dialog and are able to run the script after that. But BigQuery returns error:
Exception: Access Denied: Job XXX:job_NaMBWMRfbMHygS1n10AQXXXX: The user does not have permission to run a query in project XXXXX
I tried deploying the script as a web app and set it to execute under my account but it didn't change anything.
Is there any solution or workaround?

Unfortunately you can only allow access to scripts running as 'you' if it is running as a web app. The only way to run it as a webapp is if the doGet()/doPost() function is called by the browser. Running the doGet() as a function runs it as a normal script.
You can give access to run queries using the project access controls in developers console. Check out:
https://cloud.google.com/bigquery/access-control
The other option is to use the Oauth2 library and store your personal token in the scripts properties. You then can rewrite your script to use the BigQuery REST interface. There is a template for this at:
https://github.com/googlesamples/apps-script-templates/tree/master/sheets-import

The best way that I found is to simply change the configuration of the file appsscript.json. You can find by acessing View > Show project manifest. There you will find an option to change the option executeAs and if you change to USER_DEPLOYING the web app always will run as the person who deployed and most likely have the access to the BigQuery project. You can find the source of the documentation here: https://developers.google.com/apps-script/manifest

Related

Define dependency between a standalone script and web app during installation

I have a standalone script which works with Google Sheets. I need to have an URL to which I can send a small chunk of data from another service and this data is required for my script to work.
So far I came up with the following solution. I create a separate web app script which will provide me with URL. Then, I send data to the app, it saves it on the Google Drive of the user and later my standalone script reads it.
However, I don't understand at this point how I should bind my standalone script with the web app, so when the user installs the standalone it would have everything working.
Will appreciate any comments!

How do I obtain permission to publish a google script as a web app?

When I attempt to deploy my Google Apps Script as a web app, I get a message saying "You do not have permission to perform that action." It would be great if the message had a link to how to resolve that issue.
I've looked and have undoubtedly missed something both important and well-hidden :)
So, how do I obtain permission?
Thanks.
AFAIK, you first need to decide whose authorization the app should run with. As mentioned in Permissions,
The permissions for a web app differ depending on whether you choose to execute the app as the owner of the script or as the active user who is accessing the web app.
If you choose for the script to execute as you, then the script will always execute under your identity, that is, the identity of the owner of the script. This will be the case regardless of which user is accessing the web app.
If you choose for the script to execute as the user who accesses the web app, then the script will execute under the identity of the active user who is accessing your script.
To confirm whose authorization will it be, select whose authorization the app should run with under the Execute the app as. Please check steps given in Deploying a script as a web app.
For more information, you may want to visit Web Apps and also Authorization for Google Services.

Queries done in Sheets pulling from BigQuery (permissions help needed)

I want to set up scripts in sheets creating several menu options for predefined queries. This way normal bob can get his queries, Tina can get hers, and Fredrick in accounting can get the information he needs without out writing his own queries. They can use a fun menu:
screenshot
The data table is set up in BigQuery, and queries work fine using the 'compose query' option. The issue is getting queries written in the script to function in sheets. Here is a nice tutorial by Ido Green on how to go about it. https://greenido.wordpress.com/2013/12/16/big-query-and-google-spreadsheet-intergration/
My problem is getting the permissions to work. I believe I approved the project ID in BigQuery, but I am unsure of how to do this in Drive. This is new to me. Let me know if someone has the step by step. This is the error I get when I try to run the script:
"Exception: No suitable credentials found to access Google Drive. Contact the table owner for assistance."
Thank you for your help
Got the same issue with my Google Apps script.
Steps to fix
Enable Google Drive API in Resources -> Advanced Google Services
Enable Google Drive API in Google Developers Console for this project
Run 'DriveApp.getRootFolder();' to get Drive Auth Scope .
I think the problem is in the OAuth Scopes.
According to this SO question, If you are using the BigQuery web UI and have not explicitly granted access to Drive, it won't work. For example, the first time I tried to "Save to Google Sheets", the BigQuery UI popped up an OAuth prompt asking me to grant access to my Google Drive. After this it could save the results. Try doing this to make sure your credentials have the Drive scope and then "Save View" again.
If you are using your own code to do this, you should request scope 'https://www.googleapis.com/auth/drive' in addition to the 'https://www.googleapis.com/auth/bigquery' scope you are already using to talk to BigQuery.
Also check this SO question and this community page for more information.

Is there a way to build an Google Apps Script application that uses BigQuery Service as a service account instead as a user?

What I trying to do here is an application that connects to bigquery, executes some query and writes a spreadsheet in current user's Google Drive.
I know that I can change the "Execute app as" option when deploying the app. But when I do this, and the user try to use the app, Google asks for permission to access the BigQuery.
I do not want to give permission to each user to access BigQuery.
We have about 50 ~ 100 users who will use (and this number can increase)
Some images:
When access the application's url: http://i.imgur.com/kGzJ3ps.png.
When the user clicks in the "continue" button:
http://i.imgur.com/4cRmhZ6.png
Hope I've been clear.
You would probably need an App, that had people sign in with their Google account using oAuth2
Google Accounts Authentication and Authorization
I think that this link gives an overview of what your options are:
Permissions and Types of Scripts
I guess you would need to have an App, that ran as User at the keyboard, so that the spreadsheet saved to their Google Drive. If you wanted the user to be able to download a file to their computer drive, that's a little different.
Just use HTML Service. It's basically just building a website. You just don't have a domain name. But the spreadsheet you are distributing doesn't have a domain name.
HTML Service Google Documentation
From an Apps Script HTML Service, you can write to Spreadsheets, Documents, and run HTTP Requests (urlFetch).
URL Fetch Service
The permissions in the Apps Script App can be set to run the Apps Script file as yourself, with access to anyone, even anonymous. That way, the user will never be asked for permission for any files that you own. You will need to authorize it once, the first time any script that needs access to your files is run.
Because anyone could run your Apps Script App, you might want to have a log in system to authenticate users.
You would need to use the Big Query API with Apps Script urlFetch to access Big Query.
So, with the HTML Service, you can do most everything you could do with HTML, CSS, and Javascript on a regular website. You can create custom input forms, have different pages and display data in tables. Plus it's served over HTTPS.
One solution that you can use if you don't want all your users to enable BigQuery is to use a webapp deployed as a service running as "you" and that will respond to an urlFetch coming from each user through the script they run as "themselves".
This service will be deployed as any other webapp using a doGet main function and return its data using contentService
Yes, that is possible. Check out this answer here: Using Advanced Google Services with Service Account and also check this awesome library: https://github.com/googlesamples/apps-script-oauth2

ScriptDb in Library accessed by WebApp

I created a Google Apps Script project that is published as a WebApp visible for anyone, running as the accessing user.
This WebApp includes a Library project, which has methods to access ScriptDb as following:
function getDb() {
return ScriptDb.getMyDb();
}
function save(props) {
return getDb().save(props);
}
I intend to have one WebApp running per accessing user (using time-based triggers to access Gmail), however I would like to use the ScriptDb to store data independently from the user running the WebApp.
So I thought the chapter Centralizing a Place to Get a Database Instance from the Google Apps Script Documentation applies here, however I am getting the following error when accessing the WebApp:
You do not have access to library MyDBLibrary, used by your script, or it has been deleted.
Am I doing anything wrong? Was ScriptDb not intended to run independently of the user, when being accessed from a WebApp?
Joscha - you have the set up right and I reproduced everything you've reported. The last thing you were missing was to the share the Library project itself to the public.
The way to do that is to
1. Open the Library project in the script editor
2. Go to File -> Share
3. In the "Who has access" section, set it to anyone with the link can View (dont need edit).
Without this, Apps Script will now know its ok to serve the library code to the public. Hope this helps.
You may need to turn on development mode flag to make it work.
Here's what I did.
User A: Created a Master spreadsheet and created an app script and saved it with version 1.0.
User A: Gave access to this sheet to user B so they can use the common app script.
User A: Gave project access key to user B.
4.User B: Created a spreadsheet and added resource library with project key.
User B: Selected version 1.0.
User B: Turned on development mode.
Note: if I follow steps 1 through 5, then I still see the same error saying I don't have permission or the script has been deleted. However, also doing step 6 will resolve the error and allow you to use the shared script.