Difficulties authenticating with gdrive

What is the problem you are having with rclone?

Authorization with Google Drive works, but only with service account.

Run the command 'rclone version' and share the full output of the command.

rclone v1.61.1
- os/version: ubuntu 22.04 (64 bit)
- os/kernel: 5.15.0-1027-oracle (aarch64)
- os/type: linux
- os/arch: arm64
- go/version: go1.19.4
- go/linking: static
- go/tags: none

Which cloud storage system are you using? (eg Google Drive)

Google Drive

The command you were trying to run (eg rclone copy /tmp remote:tmp)

Paste command here

sudo systemctl start rclone-movies

which points to this service file (thank you @animosity22):

Description=RClone Service GDrive Movies

ExecStart=/usr/bin/rclone mount gcrypt:movies /data/media/movies \
--allow-other \
--dir-cache-time 9999h \
--log-file /opt/rclone/logs/gcrypt-mount.log \
--log-level DEBUG \
--umask 002 \
--rc \
--rc-addr \
--rc-no-auth \
--cache-dir=~/.cache/rclone/vfs/movies \
--vfs-cache-mode full \
--vfs-cache-max-size 40G \
--vfs-fast-fingerprint \
--vfs-read-chunk-size 32M \
--vfs-write-back 1h \
--vfs-cache-max-age 144h \
--disable-http2 \
--tpslimit 12 \
--tpslimit-burst 0

ExecStop=/bin/fusermount -uz /data/media/movies
ExecStartPost=/usr/bin/rclone rc vfs/refresh recursive=true --url _async=true


The rclone config contents with secrets removed.

type = crypt
remote = gd2:Media
password = {redacted}
password2 = {redacted}

type = drive
client_id = {redacted}
scope = drive
token = {"access_token":"{redacted}","token_type":"Bearer","refresh_token":"{redacted}","expiry":"2023-01-29T11:46:07.0096856-06:00"}
team_drive =
service_account_file = /home/ubuntu/Desktop/rclone-api-###########.json
shared_with_me = true
pacer_min_sleep = 10ms
pacer_burst = 200
server_side_across_configs = true
stop_on_upload_limit = false
stop_on_download_limit = false

A log from the command with the -vv flag

I can't do this one because the mount is working.

Explanation of conundrum to the best of my ability/memory
Yesterday morning my rclone mounts stopped working. When I tried to reconnect them, the error message suggested that I reauthorize drive using the command "rclone config reconnect gd2:". (I've recreated the issue with a different remote, so the text below is from that remote.)

Failed to create file system for "gdrive:": couldn't find root directory ID: Get "https://www.googleapis.com/drive/v3/files/root?alt=json&fields=id&prettyPrint=false&supportsAllDrives=true": couldn't fetch token - maybe it has expired? - refresh with "rclone config reconnect gdrive:": oauth2: cannot fetch token: 401 Unauthorized
Response: {
  "error": "unauthorized_client",
  "error_description": "Unauthorized"

This did not work until I flushed my DNS cache and then the mounts started working again. Last night I tinkered more and switched to using service accounts for the mounts and the same issue authenticating popped up (I'm sorry that I don't have the exact text). At first I used just my client_ID and client_secret that I set up 2 years ago through the Google API. When that didn't work I switched to a service account this evening. That now works, but it also says that I only have 15Gb of storage, which I know is attached to the service account.

Here are my curiosities:

  1. Is this the best way to authorize with Google drive, or is there another way that won't make it look like it's limiting my data? If this 15Gb is okay and I'll have no issues, no worries!
  2. Do I need to worry about the 15Gb limit on the service account?

I'm sure I have not explained myself well enough and I'm happy to add more details as necessary.

I've been using this forum for 2 years and I'm so appreciative of all the people who spend so much time helping people troubleshoot.

hello and welcome to the forum,

about gd2:, has both a client_id and service account file in the same remote.
whereas, i think normally, that is not the case.

type = drive
client_id = redacted
client_secret = redacted
scope = drive
token = redacted


type = drive
scope = drive
service_account_file = C:\data\rclone\rr\other\gdrive.sa\it.org.json

that last line should not have a trailing slash \

Thank you. I will take client_id and client_secret out and see how that goes.. I left the rest of that service file out, which I'm adding now, though I'm not sure it adds a lot of value to the question.

fwiw, i would
--- test first using rclone ls, then rclone mount working on command line, then try systemd
--- i would re-create gd2:, and use two remotes, one remote for client_id, one, one remote for service account file.

Here's the output of rclone ls gdrive: (I made a new remote, created a new client_id and client_secret, and changed the name)

2023/01/31 15:31:03 Failed to create file system for "gdrive:": couldn't find root directory ID: Get "https://www.googleapis.com/drive/v3/files/root?alt=json&fields=id&prettyPrint=false&supportsAllDrives=true": couldn't fetch token - maybe it has expired? - refresh with "rclone config reconnect gdrive:": oauth2: cannot fetch token: 401 Unauthorized
Response: {
  "error": "unauthorized_client",
  "error_description": "Unauthorized"

Using the service account authenticates, but then I have the 15Gb--which I'm not really sure is a limitation except for not being able to upload anything larger than 15 Gb. I'd appreciate any insight you or anyone else has into that.

Turns out all I had to do was use the service account to authenticate with the impersonate option on my remote.

type = drive
client_id = 
client_secret = 
scope = drive
token = 
team_drive = 
service_account_file = /path/to/service/account/file.json
shared_with_me = false
pacer_min_sleep = 10ms
pacer_burst = 200
server_side_across_configs = true
stop_on_upload_limit = true
stop_on_download_limit = true
impersonate = user@mydomain.com
root_folder_id = #############

I got the root folder ID from the output when I ran this command:

rclone lsd -vv gdrive:

This solved my issue of not being able to use the client_id and client_secret anymore.

A service account doesn't use a client ID and secret as a service account uses its own.

That isn't the solution as you shouldn't be mixing the two.

You'd have to check your console to see what it's actually using.

That’s right. In the final fix there was no client_id or client_secret in the config file. I used a service account and made sure I had the “impersonate” option set.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.