创建应用程序脚本服务帐户以访问云端硬盘、工作表和文档

Question

I am in a similar situation to the OP of this post: User access request when GAS run as the user

I need to run a web app as an 'active user', allow this user to access Drive, Docs, and Sheets resources, but not having the user direct access to them.

However my knowledge is much less on the subject.

As I understand it, I need to create a service account so that the script running as the 'active user' can access Drive, Sheet, and Docs resources that the active user does not have access to.

I am also looking at other resources as well as Google's documentation, but it's a bit overwhelming.

Can anyone explain the basics for this? Maybe a tutorial (or a link to such) that really inexperienced users can understand? I just need to get started on the right direction.

Thank you in advance!

Answer 1

Impersonation of users using App Script

It should be possible to generate a key and start the process of impersonation and call off the scopes and API.

function getJWT(sub) {
  var header = { "alg": "RS256", "typ": "JWT" }
  var encodedheader = Utilities.base64EncodeWebSafe(JSON.stringify(header))
  var key = "-----BEGIN PRIVATE KEY----- fjsklfjl;sdjfasd -----END PRIVATE KEY-----\n"

  var time = Math.floor(new Date().getTime() / 1000)

  


  var claim = {
    "iss": "yourserviceaccount@mail-p-any.iam.gserviceaccount.com",
    "scope": "https://mail.google.com/",
    "aud": "https://oauth2.googleapis.com/token",
    "iat": time,
    "exp": time + 3600,
    "sub": sub[0]
  }


  var encodedclaim = Utilities.base64EncodeWebSafe(JSON.stringify(claim))

  var input = encodedheader + "." + encodedclaim

  var signed = Utilities.computeRsaSha256Signature(input, key)

  var base64signed = Utilities.base64Encode(signed)

  var jwt = encodedheader + "." + encodedclaim + "." + base64signed

  return jwt


}

function getAccessToken(user) {
  var payload = {
    "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
    "assertion": getJWT(user)
  }
  var params = {
    "method": "POST",
    "contentType": "application/x-www-form-urlencoded",
    "payload": payload,
    "muteHttpExceptions": true
  }
  var response = UrlFetchApp.fetch("https://oauth2.googleapis.com/token", params)

  var output = JSON.parse(response.getContentText())
  console.log(output.access_token)
  return output.access_token
}

You can also review the library and step by step process on how you can implement it in another way from here:

• https://github.com/googleworkspace/apps-script-oauth2

My code sample was based on the sample script from:

• https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority

You can also review the other sample code from the references below.

This way you are able to impersonate the user and run or make calls on behalf of the user from your organization without having access to it. This might be where you can start your idea on how to start.

References

• https://cloud.google.com/iam/docs/impersonating-service-accounts

• https://github.com/googleworkspace/apps-script-oauth2/blob/main/samples/GoogleServiceAccount.gs

Answer 2

I got this to work, for the benefit of those who are the same level in this subject as I am, and in the similar situation. Anyone please expound or correct me if I'm wrong, thanks.

• You cannot use the methods to access Drive, Docs, and Sheets in the same code that runs as the 'active user'.

• You have to access these Google services using the equivalent HTTP
  API calls of the methods.

• The HTTP API calls need a user that would interact with the resources (because it's being called from publicly from the inte.net and not
  from the script).

• You create a service account for this. This acts as the user for the calls.

I started with Ricardo Jose Velasquez Cruz's response, and found other resources, as I was calling the API from Apps Script. https://medium.com/geekculture/how-to-use-service-accounts-and-oauth2-in-google-apps-script-99c4bc91dc31

Note that Apps Script requires an OAUTH2 library to connect, not sure why this was not built-in to GAS itself: https://github.com/googleworkspace/apps-script-oauth2

How to create a service account and use it to access Google Drive (you use the same code to access Docs and Sheet as well, you just need to use the corresponding URL and parameters for the services): https://www.labnol.org/code/20375-service-accounts-google-apps-script

it's basically the same code as another post I found here: Google Service Accounts / API - I keep getting the Error: Access not granted or expired. (line 454, file "Service")

Hope this helps:)