Authorize remote without interactive session

jedpe-ucla · July 31, 2023, 10:01pm

What is the problem you are having with rclone?

I'm working on a script to help other users of a remote server set up their rclone configuration for a shared Google Cloud Storage. Almost all information on the config file needs to be the same for all users except for the token. I created a template config that the script should use, but I'm having trouble finding the command I would need to run to get the token.

When I run the interactive configuration session, I am prompted to authenticate rclone with remote and select "No" which then gives me an rclone authorize command that looks like this:

rclone authorize "google cloud storage" "<large alphanumeric string>"

I just copy this and paste it on my local machine to get the token. I would like to get that same rclone authorize command without having to go through the interactive session.

Run the command 'rclone version' and share the full output of the command.

rclone v1.62.2
- os/version: centos 7.9.2009 (64 bit)
- os/kernel: 3.10.0-1160.80.1.el7.x86_64 (x86_64)
- os/type: linux
- os/arch: amd64
- go/version: go1.20.2
- go/linking: static
- go/tags: none

Which cloud storage system are you using? (eg Google Drive)

Google Cloud Storage

The command you were trying to run (eg `rclone copy /tmp remote:tmp`)

NA

The rclone config contents with secrets removed.

[GCS TEMPLATE]
type = google cloud storage
client_id = REDACTED
client_secret = REDACTED
project_number = REDACTED
object_acl = authenticatedRead
bucket_acl = authenticatedRead
location = us-central1
storage_class = REGIONAL

A log from the command with the `-vv` flag

NA

InfoR3aper · August 1, 2023, 12:01am

Not 100% sure what you are trying to do.

But if you want many people to have the same access level as you do, simply copy your rclone.conf info for the bucket and have others paste the same info into their rclone.conf.

If you want many different levels of access then create the different level users and set them up.

Again copying and pasting the info from your conf to theirs should do the trick just fine.

Authorizations are not IP, or machine limited, it is just a matter if the conf has the details needed or not.

Think of like login in to gmail, if someone has your user/pass they can

Just keep in mind the creds Might give people access to other things not just bucket depending on security settings for the creds you are using.

asdffdsa · August 1, 2023, 12:11am

why not use service account, does not use tokens.
rclone won't use the browser based authentication flow

i do this with gdrive, tho the same should apply to gcs.

[gdrive.saf]
type = drive
scope = drive
service_account_file = /home/username/rclone/sa.json

[gdrive.sac]
type = drive
scope = drive
service_account_credentials = {"type": "service_account", "project_id": "redacted",   "private_key_id": "redacted",   "private_key": "-----BEGIN PRIVATE KEY----- redacted -----END PRIVATE KEY-----\n",   "client_email": "",   "client_id": "redacted",   "auth_uri": "https://accounts.google.com/o/oauth2/auth",   "token_uri": "https://oauth2.googleapis.com/token",   "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",   "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/redacted" }

jedpe-ucla · August 1, 2023, 3:05pm

Thank you for your response. That's the thing. I don't want everyone to have the same access level as I do and I can't set it up for them. We are using rclone as part of a data processing pipeline that will be shared with other people and I want to make this as easy to set up as possible.

Exactly

I'm sorry if I wasn't clear enough.
In summary, I want to be able to give the user the rclone authorize command I mentioned so that they can run it on their machines and get the token for me. I'm not sure where the large alphanumeric string comes from. I hope this makes sense.

InfoR3aper · August 1, 2023, 3:07pm

Then you need to create Service Accounts user can use inside rclone

jedpe-ucla · August 1, 2023, 9:09pm

In case someone has the same question as me, I looked for the authorize function on the source code and found this comment: https://github.com/rclone/rclone/blob/88c72d1f4de94a5db75e6b685efdbe525adf70b8/fs/config/authorize.go#L11-L17

// Authorize is for remote authorization of headless machines.
//
// It expects 1, 2 or 3 arguments
//
//	rclone authorize "fs name"
//	rclone authorize "fs name" "base64 encoded JSON blob"
//	rclone authorize "fs name" "client id" "client secret"

So, the large alphanumeric is a base64 encoded JSON blob. I still don't know where that comes from, but using the client id and client secret as arguments got me the token that I needed:

rclone authorize "google cloud storage" "client id" "client secret"

I have not tested using service accounts, although that seems like it would also work.

system · August 4, 2023, 9:09pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.