[英]Create apps script service accounts to access Drive, Sheet, and Docs
I am in a similar situation to the OP of this post: User access request when GAS run as the user我和这篇文章的OP有类似的情况: User access request when GAS run as the user
I need to run a web app as an 'active user', allow this user to access Drive, Docs, and Sheets resources, but not having the user direct access to them.我需要以“活跃用户”身份运行 web 应用程序,允许该用户访问云端硬盘、文档和表格资源,但不允许用户直接访问它们。
However my knowledge is much less on the subject.但是,我对这个问题的了解要少得多。
As I understand it, I need to create a service account so that the script running as the 'active user' can access Drive, Sheet, and Docs resources that the active user does not have access to.据我了解,我需要创建一个服务帐户,以便以“活动用户”身份运行的脚本可以访问活动用户无权访问的驱动器、工作表和文档资源。
I am also looking at other resources as well as Google's documentation, but it's a bit overwhelming.我也在查看其他资源以及 Google 的文档,但有点不知所措。
Can anyone explain the basics for this?谁能解释一下这方面的基础知识? Maybe a tutorial (or a link to such) that really inexperienced users can understand?
也许真正没有经验的用户可以理解的教程(或此类链接)? I just need to get started on the right direction.
我只需要在正确的方向上开始。
Thank you in advance!先感谢您!
Impersonation of users using App Script使用 App Script 模拟用户
It should be possible to generate a key and start the process of impersonation and call off the scopes and API.应该可以生成密钥并开始模拟过程并调用范围和 API。
function getJWT(sub) {
var header = { "alg": "RS256", "typ": "JWT" }
var encodedheader = Utilities.base64EncodeWebSafe(JSON.stringify(header))
var key = "-----BEGIN PRIVATE KEY----- fjsklfjl;sdjfasd -----END PRIVATE KEY-----\n"
var time = Math.floor(new Date().getTime() / 1000)
var claim = {
"iss": "yourserviceaccount@mail-p-any.iam.gserviceaccount.com",
"scope": "https://mail.google.com/",
"aud": "https://oauth2.googleapis.com/token",
"iat": time,
"exp": time + 3600,
"sub": sub[0]
}
var encodedclaim = Utilities.base64EncodeWebSafe(JSON.stringify(claim))
var input = encodedheader + "." + encodedclaim
var signed = Utilities.computeRsaSha256Signature(input, key)
var base64signed = Utilities.base64Encode(signed)
var jwt = encodedheader + "." + encodedclaim + "." + base64signed
return jwt
}
function getAccessToken(user) {
var payload = {
"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
"assertion": getJWT(user)
}
var params = {
"method": "POST",
"contentType": "application/x-www-form-urlencoded",
"payload": payload,
"muteHttpExceptions": true
}
var response = UrlFetchApp.fetch("https://oauth2.googleapis.com/token", params)
var output = JSON.parse(response.getContentText())
console.log(output.access_token)
return output.access_token
}
You can also review the library and step by step process on how you can implement it in another way from here:您还可以查看库和分步过程,了解如何从此处以另一种方式实现它:
My code sample was based on the sample script from:我的代码示例基于以下示例脚本:
You can also review the other sample code from the references below.您还可以从下面的参考资料中查看其他示例代码。
This way you are able to impersonate the user and run or make calls on behalf of the user from your organization without having access to it.通过这种方式,您可以模拟用户并代表您组织的用户运行或拨打电话,而无需访问它。 This might be where you can start your idea on how to start.
这可能是您开始思考如何开始的地方。
References参考
https://cloud.google.com/iam/docs/impersonating-service-accounts https://cloud.google.com/iam/docs/impersonating-service-accounts
https://github.com/googleworkspace/apps-script-oauth2/blob/main/samples/GoogleServiceAccount.gs https://github.com/googleworkspace/apps-script-oauth2/blob/main/samples/GoogleServiceAccount.gs
I got this to work, for the benefit of those who are the same level in this subject as I am, and in the similar situation.为了那些与我在这个主题上处于相同水平并且处于类似情况的人的利益,我得到了这个工作。 Anyone please expound or correct me if I'm wrong, thanks.
有不对的请大家指正或指正,谢谢。
You cannot use the methods to access Drive, Docs, and Sheets in the same code that runs as the 'active user'.您不能在以“活动用户”身份运行的相同代码中使用这些方法访问云端硬盘、文档和表格。
You have to access these Google services using the equivalent HTTP您必须使用等效的 HTTP 访问这些 Google 服务
API calls of the methods. API 次方法调用。
The HTTP API calls need a user that would interact with the resources (because it's being called from publicly from the inte.net and not HTTP API 调用需要一个与资源交互的用户(因为它是从 inte.net 公开调用的,而不是
from the script).从剧本)。
You create a service account for this.您为此创建一个服务帐户。 This acts as the user for the calls.
这充当调用的用户。
I started with Ricardo Jose Velasquez Cruz's response, and found other resources, as I was calling the API from Apps Script.当我从 Apps Script 调用 API 时,我从 Ricardo Jose Velasquez Cruz 的回复开始,并找到了其他资源。 https://medium.com/geekculture/how-to-use-service-accounts-and-oauth2-in-google-apps-script-99c4bc91dc31
https://medium.com/geekculture/how-to-use-service-accounts-and-oauth2-in-google-apps-script-99c4bc91dc31
Note that Apps Script requires an OAUTH2 library to connect, not sure why this was not built-in to GAS itself: https://github.com/googleworkspace/apps-script-oauth2请注意,Apps 脚本需要一个 OAUTH2 库才能连接,不确定为什么这不是 GAS 本身内置的: https://github.com/googleworkspace/apps-script-oauth2
How to create a service account and use it to access Google Drive (you use the same code to access Docs and Sheet as well, you just need to use the corresponding URL and parameters for the services): https://www.labnol.org/code/20375-service-accounts-google-apps-script如何创建服务帐号并使用它访问Google Drive(您也使用相同的代码访问Docs和Sheet,您只需要使用相应的URL和服务参数): https://www.labnol。组织/代码/20375-service-accounts-google-apps-script
it's basically the same code as another post I found here: Google Service Accounts / API - I keep getting the Error: Access not granted or expired.它与我在此处找到的另一篇文章的代码基本相同: Google 服务帐户 / API - 我一直收到错误:访问未被授予或已过期。 (line 454, file "Service")
(第 454 行,文件“服务”)
Hope this helps:)希望这可以帮助:)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.