堆栈内存溢出
  简体   繁体   English

Google API 服务帐户。 即使使用域范围的委派访问,也只能看到服务帐户驱动器

[英]Google API Service Account. Can only see service accounts drive even with Domain Wide Delegation Access

 原文  2020-03-27 19:10:05       python/ google-drive-api/ google-admin-sdk/ google-api-python-client/ google-workspace

问题描述

I'm currently using a Google Service Account that has domain wide delegation enabled ( I followed this link https://developers.google.com/identity/protocols/oauth2/service-account , and this link https://developers.google.com/admin-sdk/reports/v1/guides/delegation ), and has " https://www.googleapis.com/auth/drive scope enabled. I have downloaded the json credentials for the service account and placed them in the same directory as my python script. The problem is when I impersonate another user lets say User2 in my domain, and I try to list out the files in User2's drive. I only get the files in my service account's drive.我目前正在使用启用了域范围委派的 Google 服务帐户(我点击了此链接https://developers.google.com/identity/protocols/oauth2/service-account和此链接https://developers.google .com/admin-sdk/reports/v1/guides/delegation ),并启用了https://www.googleapis.com/auth/drive范围。我已经下载了服务帐户的 json 凭据并将它们放在与我的 python 脚本相同的目录。问题是当我模拟另一个用户时,可以说我的域中的 User2,然后我尝试列出 User2 驱动器中的文件。我只获取服务帐户驱动器中的文件。

I have a snippet of the code doing the impersonation of User2.我有一段模拟 User2 的代码。

def auth():
    domain = 'domain'
    # impersonate this user
    user = 'testuser' # id only (ie. without @domain)
    #scopes = ['https://www.googleapis.com/auth/drive',]
    key_file = 'service_account.json'

    subject = ''.join([user,'@',domain])
    delegated_credentials = service_account.Credentials.from_service_account_file(key_file)
    delegated_credentials.with_subject(subject)
    drive_service = googleapiclient.discovery.build('drive', 'v2', credentials=delegated_credentials)

    return drive_service

Then later I'm trying to get the list of files in a users mydrive.后来我试图获取用户 mydrive 中的文件列表。

children = service.children().list(folderId='root', **param).execute()

for child in children.get('items', []):
    item = service.files().get(fileId=child['id']).execute()

Above item is always the "Getting Started PDF" in the service account's my drive以上项目始终是服务帐户的“我的驱动器”中的“入门 PDF”

Basically the whole purpose of this is to programatically change ownership of any folder(plus its contents) to anther user in the same G-Suite.基本上,这样做的全部目的是以编程方式将任何文件夹(及其内容)的所有权更改为同一 G-Suite 中的另一个用户。

Also, I don't want to share a folder with my service account as many other posts say.此外,我不想像许多其他帖子所说的那样与我的服务帐户共享文件夹。 This shouldn't be the case as I'm impersonating the owner.这不应该是这种情况,因为我在冒充所有者。

I apologize if this is not the correct way to post a question.如果这不是发布问题的正确方式,我深表歉意。 This is my first post.这是我的第一篇文章。

1 个解决方案

解决方案1
 2 已采纳  2020-03-30 09:32:21

Answer:回答:

There are two issues with your authentication flow: missing scopes, and a mis-assigned variable.您的身份验证流程有两个问题:缺少范围和错误分配的变量。

More Information:更多信息:

  1. You are missing scopes from your delegated credentials when you assign the delegated_credentials variable.当您分配delegated_credentials变量时,您的委托凭证缺少范围。
  2. You are not assigning your newly delegated credentials when you add a subject.添加主题时,您不会分配新委派的凭据。

As you can see in the Preparing to make an authorized API call documentation, when defining your credentials object you must specify which scopes you will be using in the request.正如您在准备进行授权 API 调用文档中所见,在定义credentials对象时,您必须指定将在请求中使用的范围。

Then, when adding the scope to the credentials, you need to assign this to a variable which can be passed to the build of the Drive service.然后,在将范围添加到凭据时,您需要将其分配给一个变量,该变量可以传递给 Drive 服务的构建。

Code fixes:代码修复:

To fix point 1, you need to uncomment your scopes and change this line:要修复第 1 点,您需要取消对范围的注释并更改此行:

delegated_credentials = service_account.Credentials.from_service_account_file(key_file)

to include the scopes:包括范围:

scopes = ['https://www.googleapis.com/auth/drive']
delegated_credentials = service_account.Credentials.from_service_account_file(
        key_file, scopes=scopes)

Also, you will need to assign the delegated_credentials.with_subject(subject) to itself before building the drive service:此外,在构建驱动服务之前,您需要将delegated_credentials.with_subject(subject)分配给自身:

delegated_credentials = delegated_credentials.with_subject(subject)
drive_service = googleapiclient.discovery.build(
        'drive', 'v2', credentials=delegated_credentials)

I hope this is helpful to you!我希望这对你有帮助!

References:参考:

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 通过域范围委派模拟用户的服务帐户访问 Google Sheets API 失败 - Accessing Google Sheets API through a service account impersonating a user through domain-wide delegation fails 服务帐户无法使用域范围委派连接到 Google 表格 - Service account can't connect to a Google Sheet using domain wide delegation Python Google Analytics OAuth 服务帐户和 2LO; “sub”参数和域范围的委派 - Python Google Analytics OAuth Service Account and 2LO; "sub" parameter and domain wide delegation Google服务帐户委派 - Google service account Delegation 如何使用 Google Drive API 通过服务帐户访问域中的共享文件? - How to get access to shared files in a domain with a service account using the Google Drive API? Google云端硬盘api和服务帐户 - Google drive api and service account 通过Google App Engine上的Google Drive服务帐户访问来模拟用户 - Google Drive Service Account Access on Google App Engine to Impersonate Users Google Search Console API-域范围委派-不返回任何结果 - Google Search Console API - Domain Wide Delegation - Returning no results 如何在Google的python API和驱动器上使用服务帐户? - How to use a service account with Google's python api and drive? 使用服务帐户密钥的 Google Drive Python API 授权 - Google Drive Python API authorization using service account key
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM