Google Partner access

Hi All, @ncw,

Not sure if this exists yet, but as a Google Partner we can add a client id to our clients API page and then access details in their accounts using a simple point of entry, and without needing a user in their system.

GAMADV-XTD3 that also use the Google APIs do this using the customer ID and allow us to switch between multiple customers and domains.

Not sure if this is possible in rclone at this stage, but would be great if we could do that. It would make our lives migrating to Google Drive, and Shared Drives a lot easier!

Thanks

Looking at the docs

To run all commands properly, GAMADV-XTD3 requires three things:

  • An API project which identifies your install of GAMADV-XTD3 to Google and keeps track of API quotas.
  • Authorization to act as your Google Workspace Administrator in order to perform management functions like add users, modify group settings and membership and pull domain reports.
  • A special service account that is authorized to act on behalf of your users in order to modify user-specific settings and data such as Drive files, Calendars and Gmail messages and settings like signatures.

To identifiy that you are using a particular project you'll need to make a client_id and a client_secret for rclone.

I'm not sure what the second point entails.

As for the third point rclone can run as a service account and impersonate a user.

I think that should be enough for you to act on behalf of users.

Thanks Nick for the info, clearly I have no idea how this works mechanically under the hood, or what magic GAM does.

We don't do that, we create one clientid and secret in Google console for our partner user (me@partner.com). We then go into the client admin console via our own partner login (me@partner.com), add our clientid and scope to the client's (@client.com) account, and we are able to use the same clientid across all of our clients (250 of them).

GAM has a way to define the customer_id of the @client.com account - we @partner.com simply switch to it with a GAM command then we can perform all the API scope actions against that customer without creating a specific clientid. Again, not sure how this works under the hood.

I know that the Reseller API is where we find the customer_id, how this then translates to the request on the DriveAPI to discern which customer_id we are operating on I do not know.

I have tried this, but when we set up the remote for Google Drive there is no defining information, to get to a second account, it simply sets up with the @partner.com account and we have no ability to define a domain or customer_id.

I'll give Ross a bump to see if he can help shed some light.

To clarify a few things here:

  • GAM uses both Google Workspace Admin APIs to manage users, groups and other IT aspects of a Workspace instance AND user data APIs like Google Drive API to manage end user data. As far as I know rclone currently only uses Drive API.
  • customer_id is used by GAM with the Admin APIs, not the end user data APIs. Google Drive API does not utilize customer_id
  • Workspace admins can programmatically access and manage end user Workspace data using domain-wide delegation (DwD). See Control API access with domain-wide delegation - Google Workspace Admin Help - I believe rclone is already utilizing DwD.
  • For security reasons, it's generally NOT possible for reseller accounts to access end user data of their customers directly, it needs to be done via DwD (again as rclone is already doing).

So the answer here is you'd need to configure DwD for each of your resold customers. Be extremely careful with the service account private key JSON file you use in this scenario as it is effectively the key to all your customer's data.

1 Like