Gdrive access via service account

kcris · July 16, 2020, 8:09pm

Hi,

I just configured rclone for gdrive access.
I have a GSuite account and I need unattended access from a build script (I am a developer).

I configured everything by following the docs - https://rclone.org/drive/
I created a service account, I downloaded the json key, enabled the client via gcloud admin interface.
I created a folder under My Drive and I specified that id as root folder id.

I added some files to that folder and tried to run rclone ls.
Nothing.
No contents. No errors in the logs, even when using -vv.

I removed my root folder id and, rclone added one in my rclone.conf
This one was.... somehow working.
I added files via rclone/cli, and they were stored by rclone.
However, I could not find them in my gdrive web interface.

At this point, I was desperate

My folder was not working.
And the one that was "working"...well, I have no idea where it stored its files.

I solved my problem and I was able to use my own root folder
as soon as... I {shared} that root folder
with the username of the new service account that I created

However, this {sharing} step is not documented on the rclone-gdrive page.
Maybe it's obvious for other people, it wasn't for me.

First, please confirm that this is required, that this step is indeed necessary.
And if it is, please update the docs. I can create myself a PR if someone guides me to find the specific doc file in your repo.

Thanks a lot
Chris

Lex · July 17, 2020, 3:36am

You are correct -- would be a good idea if the doc described your method.

When you ran rclone ls did you include --drive-impersonate foo@example.com ? The doc mentions that this is what does the magic, pretending to be user foo. In your case user foo would be your own username that has access to the TDs.

What you did is a (quite useful) variation that eliminates the need for using --drive-impersonate. You can add each unique SA email to the TDs you want to use with the SAs.

Alternatively you can create and add a group email to the TD and add your SA email (or multiple SA emails) to the group. Useful if you have >1 SA or sometimes change them -- whatever you stick in the group then has access to whichever TDs the group has permission for.

Animosity022 · July 17, 2020, 10:46am

If someone can type up the wording and what needs to change, I'm happy to do a pull request to update that as I don't use service accounts and not as familiar with them.

kcris · July 17, 2020, 5:52pm

Hi again,

@Lex @Animosity022

I had tried in 3 different ways to use my own root folder:

folder not shared with the service account, rclone without --impersonate

rclone --config=.\rclone.conf --drive-service-account-file=.\caramel-sum-123456-24156556d1fg.json ls myremote:

//silence, I get nothing, no error, no contents listed even with -vv

folder not shared with the service account, with --impersonate

rclone --config=.\rclone.conf --drive-service-account-file=.\caramel-sum-123456-24156556d1fg.json --drive-impersonate me@mydomain.com ls myremote:

got this error

2020/07/17 19:22:35 NOTICE: Google drive root '': Ignoring cached root_folder_id when using --drive-impersonate
2020/07/17 19:22:35 Failed to create file system for "myremote:": couldn't find root directory ID: Get "googleapis com/drive/v3/files/root?alt=json&fields=id&prettyPrint=false&supportsAllDrives=true": oauth2: cannot fetch token: 401 Unauthorized
Response: {
  "error": "unauthorized_client",
  "error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}

folder shared !! with the service account, without --impersonate (not documented)

rclone --config=.\rclone.conf --drive-service-account-file=.\caramel-sum-123456-24156556d1fg.json ls myremote:

finally got my contents

 82055808 build1.zip
 81973561 build2.zip

No other settings were changed during these 3 tests.

As I said, if I use the "default" root folder id (instead of my own), it might "work" as well, but files are not visible on the gdrive web interface, so I ignored that option.

My rclone config contains just the remote name, the type=drive (13), no client id, no client secret, a root folder it and the json key for my service account, nothing else.

So, in my case, the documented steps did not work at all until I shared my root folder with the user/email of the new Service Account I created.

I would just add this as a possible hint on the rclone documentation page
at the end of the section #4 - Google drive

In case you configured a specific root folder on gdrive and rclone is unable to access the contents of that folder when using --drive-impersonate, do this instead:

in the gdrive web interface, share your root folder with the user/email of the new Service Account you created/selected at step #1

use rclone without specifying the --drive-impersonate option, like this:
rclone -v foo@example.com lsf gdrive:backup

Thank you
Chris

update: I created a PR - Update gdrive documentation by kcris · Pull Request #4444 · rclone/rclone · GitHub,
This PR just updates the drive.md file.
thanks

system · August 1, 2020, 11:47am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.