[英]Google API Service Account. Can only see service accounts drive even with Domain Wide Delegation Access
I'm currently using a Google Service Account that has domain wide delegation enabled ( I followed this link https://developers.google.com/identity/protocols/oauth2/service-account , and this link https://developers.google.com/admin-sdk/reports/v1/guides/delegation ), and has " https://www.googleapis.com/auth/drive scope enabled. I have downloaded the json credentials for the service account and placed them in the same directory as my python script. The problem is when I impersonate another user lets say User2 in my domain, and I try to list out the files in User2's drive. I only get the files in my service account's drive.我目前正在使用启用了域范围委派的 Google 服务帐户(我点击了此链接https://developers.google.com/identity/protocols/oauth2/service-account和此链接https://developers.google .com/admin-sdk/reports/v1/guides/delegation ),并启用了“ https://www.googleapis.com/auth/drive范围。我已经下载了服务帐户的 json 凭据并将它们放在与我的 python 脚本相同的目录。问题是当我模拟另一个用户时,可以说我的域中的 User2,然后我尝试列出 User2 驱动器中的文件。我只获取服务帐户驱动器中的文件。
I have a snippet of the code doing the impersonation of User2.我有一段模拟 User2 的代码。
def auth():
domain = 'domain'
# impersonate this user
user = 'testuser' # id only (ie. without @domain)
#scopes = ['https://www.googleapis.com/auth/drive',]
key_file = 'service_account.json'
subject = ''.join([user,'@',domain])
delegated_credentials = service_account.Credentials.from_service_account_file(key_file)
delegated_credentials.with_subject(subject)
drive_service = googleapiclient.discovery.build('drive', 'v2', credentials=delegated_credentials)
return drive_service
Then later I'm trying to get the list of files in a users mydrive.后来我试图获取用户 mydrive 中的文件列表。
children = service.children().list(folderId='root', **param).execute()
for child in children.get('items', []):
item = service.files().get(fileId=child['id']).execute()
Above item is always the "Getting Started PDF" in the service account's my drive以上项目始终是服务帐户的“我的驱动器”中的“入门 PDF”
Basically the whole purpose of this is to programatically change ownership of any folder(plus its contents) to anther user in the same G-Suite.基本上,这样做的全部目的是以编程方式将任何文件夹(及其内容)的所有权更改为同一 G-Suite 中的另一个用户。
Also, I don't want to share a folder with my service account as many other posts say.此外,我不想像许多其他帖子所说的那样与我的服务帐户共享文件夹。 This shouldn't be the case as I'm impersonating the owner.
这不应该是这种情况,因为我在冒充所有者。
I apologize if this is not the correct way to post a question.如果这不是发布问题的正确方式,我深表歉意。 This is my first post.
这是我的第一篇文章。
There are two issues with your authentication flow: missing scopes, and a mis-assigned variable.您的身份验证流程有两个问题:缺少范围和错误分配的变量。
delegated_credentials
variable.delegated_credentials
变量时,您的委托凭证缺少范围。 As you can see in the Preparing to make an authorized API call documentation, when defining your credentials
object you must specify which scopes you will be using in the request.正如您在准备进行授权 API 调用文档中所见,在定义
credentials
对象时,您必须指定将在请求中使用的范围。
Then, when adding the scope to the credentials, you need to assign this to a variable which can be passed to the build of the Drive service.然后,在将范围添加到凭据时,您需要将其分配给一个变量,该变量可以传递给 Drive 服务的构建。
To fix point 1, you need to uncomment your scopes and change this line:要修复第 1 点,您需要取消对范围的注释并更改此行:
delegated_credentials = service_account.Credentials.from_service_account_file(key_file)
to include the scopes:包括范围:
scopes = ['https://www.googleapis.com/auth/drive']
delegated_credentials = service_account.Credentials.from_service_account_file(
key_file, scopes=scopes)
Also, you will need to assign the delegated_credentials.with_subject(subject)
to itself before building the drive service:此外,在构建驱动服务之前,您需要将
delegated_credentials.with_subject(subject)
分配给自身:
delegated_credentials = delegated_credentials.with_subject(subject)
drive_service = googleapiclient.discovery.build(
'drive', 'v2', credentials=delegated_credentials)
I hope this is helpful to you!我希望这对你有帮助!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.