Google Drive permission issue, service account in personl drive

uprprc777 · June 12, 2022, 2:17am

What is the problem you are having with rclone?

I apologize this issue could be more related to Google Drive instead of rclone but I think it was not completely off-topic. And I do need some help so I post it here.

For some reasons, I want to use a service account (SA) to access my Google Personal Drive (not Team Drive, and that's what caused the problem).

I chosed a folder and add the SA as "editor" in the "share" panel on the official Google Drive Web application. Unlike Team Drive, "editor" is the most powerful role I can find while there is also other role with higher permission e.g. content manager.

As official description, the "editor" can organize, add, and edit files; and the "content manager" can add, move, edit, and delete files.

The actual issue is that, if access through rclone, both the real google account and the sa can only move and delete the files created, by the same means, owned by itself. They are able to add file at any place, and edit the file owned/created by the other account.
If one is going to delete or move the files owned by another, the operation would fail and rclone would output an error message.

2022/06/11 20:41:37 ERROR : IO error: googleapi: Error 403: The user does not have sufficient permissions for this file., insufficientFilePermissions

Is it possible to let both the real Google account and the sa can have full access to the Personal Google Drive (with rclone)?

Thanks in advance!

Run the command 'rclone version' and share the full output of the command.

rclone v1.58.1
- os/version: Microsoft Windows 10 Pro for Workstations 21H2 (64 bit)
- os/kernel: 10.0.19044.1682 (x86_64)
- os/type: windows
- os/arch: amd64
- go/version: go1.17.9
- go/linking: dynamic
- go/tags: cmount

Which cloud storage system are you using? (eg Google Drive)

Google Drive

The command you were trying to run (eg `rclone copy /tmp remote:tmp`)

rclone mount test: Q: --vfs-cache-mode full --vfs-cache-max-size 1G -vv

The rclone config contents with secrets removed.

@set RCLONE_CONFIG_GDONFLY_TYPE=drive
@set RCLONE_CONFIG_GDONFLY_SCOPE=drive

@set RCLONE_CONFIG_GDONFLY_CLIENT_ID=apiid
@set RCLONE_CONFIG_GDONFLY_CLIENT_SECRET=apisecret

@set RCLONE_CONFIG_GDONFLY_ROOT_FOLDER_ID=folderid

@set RCLONE_CONFIG_GDONFLY_SERVICE_ACCOUNT_CREDENTIALS={sascredentials}

A log from the command with the `-vv` flag

2022/06/11 20:41:37 ERROR : IO error: googleapi: Error 403: The user does not have sufficient permissions for this file., insufficientFilePermissions

benba · June 12, 2022, 7:52pm

This is not possible, personal drives have another subset of members as shared drives.

Best practise would be, upload with the ServiceAccounts to a shared drive, and then move them with the server side copy flag. The server side copy should run with your normal user, as server side copy don't count to your download/upload limit it doesn't matter and you have a clean personal drive with you as the only person with permissions.

Hint; don't use a the command copy, this wouldn't work with the flag, you have to use move.

There is only one negative side effect, you maybe upload some files twice.

system · July 12, 2022, 7:52pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.