Can google drive work with application default credentials?

Hello.

I am running rclone in an automated job, so I am not using any interactive config and login.

I was able to use GCS remotes from a GCP compute machine with this config:

[gcs]
type = google cloud storage
bucket_policy_only = true
project_number = 00000000000

With this, rclone can login to the service account running the VM, probably through the official SDK with gets the credentials from the metadata server.

I tried a similar config for google drive:

[my-team-drive]
type = drive
scope = drive
root_folder_id =
team_drive = 0AAAAAAAAAAAAA

But here rclone outputs an error:

2023/02/13 09:09:23 Failed to create file system for "my-team-drive:": drive: failed when making oauth client: failed to create oauth client: empty token found - please run "rclone config reconnect my-team-drive:"

Passing a token is not an option in my scenario, and we avoid using service account files because GCP security recommandations recomend against it.

so, is there a way to make google drive work with application default credentials ?

1 Like

If you don't use a Service Account, you are required to oAuth to login as there is no way around it as that's a Google requirement/change.

I don't think so.

Google Cloud Storage is aimed at the people who want to do this.

Google Drive is aimed squarely at users (whether enterprise or not) and doesn't (as far as I know) have any of this automation convenience.

Your best option here is probably a service account.

Google Drive is aimed squarely at users (whether enterprise or not) and doesn't (as far as I know) have any of this automation convenience.

Are you sure? When creating credentials for the Google Drive API, it asks whether you plan to use it with GCP products and if so says you can use ADC:

Any chance support for using ADC with Google Drive can be added?

If it is possible and you can figure it out I'd certainly accept a pull request!

Failing that your company could engage me on a contract to investigate. If you like this idea then please email nick@craig-wood.com

Xery, I've added support for environment based auth for Google Drive but my experience with the Drive API is not very extensive. Could you run some tests on #6811?

@RodolpheGohard @xery I'm building a beta of this for you to try

v1.62.0-beta.6766.91dee0340.pr-6811-drive-auth (uploaded in 15-30 mins)

Can you give it a go? You'll need to add env_auth = true to the config or pass the --drive-env-auth flag.

@lugoues - note (see first post) that this appeared to work with GCS without your env_auth patch for the gcs backend???

I tried the project_number trick and that didn't work for me. GCP's SDK has several paths it goes down to find the “Default” credentials. It is very possible that however Rodolphe passed them was different. The two scenarios I ran into issues with was providing Workflow Identities and setting the service account env var and neither of those worked (I tried the project_number path too).

1 Like

Thank you very much, i will try this when i return from vacation

1 Like

I tried it out, but ended up getting an error:

Failed to create file system for destination "gdrive:": couldn't find root directory ID: googleapi: Error 403: Request had insufficient authentication scopes.
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
    "domain": "googleapis.com",
    "metadata": {
      "method": "google.apps.drive.v3.DriveFiles.Get",
      "service": "drive.googleapis.com"
    },
    "reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT"
  }
]

More details:
Reason: insufficientPermissions, Message: Insufficient Permission

which seems to just indicate an issue with providing credentials to ADC on my side, not an issue with rclone, so my feedback might not be of much use in the meantime - sorry.

Thanks for giving it a go. It does look quite promising as you got that error back from drive itself.

A bit of searching indicates that this can be fixed quite easily: node.js - ACCESS_TOKEN_SCOPE_INSUFFICIENT 403 Request had insufficient authentication scopes domain global - Stack Overflow

Already confirmed that setting. I think it's an issue to do with the permissions on the service account attached to the VM ... no worries.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.