Using Advanced Google Services with Service Account - google-apps-script

I am developing an application using Google Apps Script and using some Advanced Services such as Admin SDK (Directory API) and Reseller API.
It seems like these API's are being called by my WebApp under context of user who is accessing my WebApp (it's deployed with 'Execute the app as 'User accessing the webapp').
Ideally, I would like these API's calls to be authenticated with some Service Account under my project (in Dev Console). Is it possible? How?

When your scripts are ran as 'User accessing the webapp' it runs off the users data against your quota. If you want to run it against your data you need to change the settings to execute the app as "me".
If you need to do a mixed authentication model where the app needs to access the data of two different accounts, you have some options. Either way one account gets to access the built in Apps Script services and the other will use the REST interfaces to the APIs to access their data.
You can run the app as "me" then manage your own Oauth for the user. This can be done with an OAuth Library such as:
https://github.com/googlesamples/apps-script-oauth2
Or you can run the app as the user and use a service account for your server. Here is a library I put together for using service accounts in Apps Script:
https://github.com/Spencer-Easton/Apps-Script-GSApp-Library

Related

How to give users access to app script managed by a GCP Project

I have an app script linked to a spreadsheet that has a few functions to automate some processes for users. I recently updated the project to be linked to a standard GCP project I created so I could create OAuth credentials for an unrelated process in this script. However, now when users go to run the functions, they get a 403. Is there a place in the GCP console where I can give them access? I am not using any OAuth credentials for these functions. Just the standard app script interactions with the Google Sheet.
I think when you move to GCP you are required to use OAuth and they have to enter their credentials again. Found in the docs.
You have to configure the OAuth Consent Screen as is explained in the official docs about link a Google Apps Script project to a standard Google Cloud Project --> https://developers.google.com/apps-script/guides/cloud-platform-projects

authenticate google apps script to use google cloud run instance

I've got a Google Apps Script attached to a Google Sheet that is triggered when a new entry comes in. I've also got a Google Cloud Run instance for a Flask app that I access through an end-point.
Currently it allows unauthenticated invocations but I want to only allow authenticated invocations. How do I go about doing this? I can't access the metadata server as its outside of GCP and the Calling From Outside GCP suggests following the Identity-Aware Proxy sample code however IAP does not work for Cloud Run...
Is there any simple way of doing this?

Gmail add-on connecting to non-Google Services without oAuth

Is it possible to authenticate to third-party service in G-Suite (Gmail) Add-ons, but without oAuth. The service I want to authenticate works on REST API and has no oAuth support.
The best for me would be to open a new window (as with oAuth), login there and return token to the Gmail add-on frame. If that won't be possible, I'd go with giving a username and password in dedicated Card in add-on, but I'm not sure it that solution will pass Google verification when publishing in Marketplace.
I'll be grateful for all the suggestions.
Unfortunately no. When connecting your add-on to third party services(ex. your application server), Gmail forces you to set up a separate authentication process for user to go through to use your services.
However, if the non-Google service does require authorization, you'll have to configure OAuth for that service. You can make this process easier by using the OAuth2 for Apps Script library (there is also an OAuth1 version).
Your service can still use Google OAuth to authenticate the user, you just need to set it up separately from your Gmail add-on.
You can read more on it here: https://developers.google.com/gmail/add-ons/how-tos/non-google-services
Also in my post I explain the process of connecting your non-google services to gmail add-on in more detail

Google App Script LDAP Access Control

Is there a way to restrict access to an application built on Google App Script using LDAP? Can Google App Script access LDAP?
There are a couple of ways to look at this problem.
Apps Script cannot directly access your LDAP system. Apps Script has ability make HTTP calls to REST/SOAP services, make JDBC calls to external databases but it doesn't have built in support for the LDAP directory.
However, if you are using Apps Script w/in a Google Apps domain then you can tie in Google user accounts to LDAP using Google Apps Directory Sync. Once this is setup, you can deploy your Apps Script to only allow people w/in your domain and Google will make them login before they can access the Apps Script.
Hope this helps.

Chrome Web Apps and Google Apps Script

I want to create a web app using Apps Script. Who gets charged for the quotas? The user installing the app or the developer?
Also, is it possible to pay for increased quotas?
Whose quotas get used depends on how you deploy the app. When deploying you pick an option for "Execute the app as". The following is from the documentation:
Execute the app as: Do you want the web app to execute as you (the
owner of the script) or as the active user who is accessing the web
app?