I tried to configure the google drive remote with a service account like it's described here: https://rclone.org/drive/#service-account-support
But I could not do all of the steps e.g. the chapter:
I dont use GSuite, what I want to do is to use my private google drive account with rclone on my server to backup some files. I don't have a browser on the server to use the OAuth flow and I want that the backups are done automatically without me signing in every time. That's why I think I have to use Service Accounts.
The error I'm getting when I do the configuration without the chapter 2 is: rclone -v --drive-impersonate <mail>@gmail.com lsf googledrive:test
Response: {
"error": "unauthorized_client",
"error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}
What is your rclone version (output from rclone version)
I'm afraid @Harry is right. With a personal drive account you can make a service account but all you can access is the storage for the service account which is effectively a new google drive user with 15 GB of quota.
What you can do though is setup rclone on your personal computer then copy the config file to the server - this will work fine without needing a service account.
No you don't need service accounts. The problem you're having that you can't configure google drive on your server because it does not have browser, right?
I don't often dare to counter-say you Nick, but I am sure this is incorrect.
There are 2 ways to use a service account without Gsuite admin:
If you want to use the service account to control a Teamdrive (now renamed to shared drive) you can simply invite the service-account's email to the teamdrive (you can find this email inside the .json file). I consider this the optimal approach because you can set the user-level exactly to what you need (to maximize security or compatibility), and it's fast and convenient.
If you want to use a service-account to control data on a personal drive then it is a little more convoluted, but it still works fine... What you have to do is:
Set up a normal "share" folder (and if need be just store all of your data here).
Select to share this location with the service-account's email.
On the service-account you can use --drive-shared-with-me... https://rclone.org/drive/#drive-shared-with-me
To specify that this shared area is what you are operating on in rclone.
This will allow the service-account to manage the files for you, both reading and writing. It's hardly a clean and ideal setup, and I suspect it will have some small issues that require workarounds in spesific cases (maybe around deletions I suspect? This share method was of course not designed for general data-management but just sharing files to friends and co-workers. I have not tested this extensively though, but I haven't seen any big problems with it.
The only service-account setup that I am aware of really requires a Gsuite admin is for setting up domain-wide delegation (ie. setting a service-account to by-default have access to all users). This is no doubt fantastic for managing a larger organization, but aside from the ease-of-management in larger scales I don't think this does much else important that you can't do the other ways, and of course it also only works inside of your organization.. As such it is probably overkill for most rclone users. Actual network admins should definitely look into this though.
I was actually testing the exact same method yesterday. The problem with the setup is the service account can't delete files on the shared folder (like shared drive) because the owner isn't the service account.
Also if you upload files on the shared folder via service account then quota of service account will be used, not the folder's owner quota.
Yes it's not ideal, but you can probably work around most of these things if you really need to.
For example, if you just make the service-account upload all the data to that shared folder then it should probably be able to delete just fine. Some situations depending on the specific use-cases will still be messy though no doubt. It is a real shame that you don't have the option to set a user-level on those you invite, because then you could probably just solve it by setting it to to an elevated privilege.
Teamdrives are obviously easier to work with in thee cases, whenever that is an option.
I know a lot of cloud storage systems superficially so it is great to have info from an expert