Limit access to Google Drive account?

What is the problem you are having with rclone?

I don't know how to setup rclone on another machine to use my google drive, but limit it to use only a specific folder. I don't want it to access anything other than this folder. It would be also good to give it read-only permissions to specific folders. Apologies if this is more google drive than rclone related question.

Run the command 'rclone version' and share the full output of the command.

rclone v1.66.0

  • os/version: arch rolling (64 bit)
  • os/kernel: 6.8.9-arch1-1 (x86_64)
  • os/type: linux
  • os/arch: amd64
  • go/version: go1.22.1
  • go/linking: dynamic
  • go/tags: none

Which cloud storage system are you using? (eg Google Drive)

Google Drive

The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone config

Please run 'rclone config redacted' and share the full output. If you get command not found, please make sure to update rclone.

type = drive
client_id = XXX
client_secret = XXX
scope = drive
token = XXX
root_folder_id = XXX
team_drive =

type = crypt
remote = gdrive:crypt
password = XXX
password2 = XXX

type = crypt
remote = gdrive:<folder-name>
password = XXX
password2 = XXX

Thank you for creating redacted version of rclone config - it saves me a bit of a hussle :slight_smile:

A log from the command that you were trying to run with the -vv flag

no log

welcome to the forum,

set this to restrict rclone to a specific folder hierarchy

2 / Read-only access to file metadata and file contents.
\ "drive.readonly"

thank you @asdffdsa, but I thought that "Root folder ID" can be changed by the other machine? Is there anything that prevents someone who gains access to another machine from modifying the config file and gaining access to the root folder? I thought that this is only a convenience and not a security feature? Sorry if my question wasn't clear about that.

so you want to share a single gdrive account to multiple "users"?

Yes, exactly. I wouldn't want to create a new account for each new machine as that would get cumbersome very fast. There are also some overlaps, like some machines should have access to folderA and folderB, but some machines only to folderB and folderC and other possible combinations.

After some more research I've learned that one (and possibly only) way to accomplish this is creating a service account. Service accounts are "dummy users" that by default DO NOT have access to you data. Presumably more sophisticated methods of sharing your user and user accounts' data will be available. I will try it tomorrow.

i was going to suggest that, as that is how S3 works.
you create a IAM/bucket policy to limit users to certain bucket/folders

Makes sense, I'm new to this, but I expect that once you get one service to work other cloud providers will follow a similar pattern. Without that first step though and without knowledge of the ways of google api it takes a lot of shots in the dark. Again sorry if that's not an rclone-specific question, I imagine though that some users will come across this issue as well perhaps when setting up rclone on their laptop that "hmm maybe I shouldn't give this machine I take everywhere with me access the entire google drive".

they do follow a very similar pattern

  • IAM
  • buckets
  • polices
  • storage class

i am not very familiar with google, but what you want is trivial with s3 providers.

I do this myself.

Have one Google account and it has folders that can be accessed by some but not others. I do this by selecting a particular folder and granting a different Google account access to that one folder tree.

The only way that I can think of to guarantee that another computer running rclone or any other software can only access a specific folder in a specific Gmail account is to set up folder access permissions to other Gmail accounts. If you have a number of other users or computers you don't necessarily have to create a new Gmail account for every computer or for every person. You only need to create as many Gmail accounts as subdivisions within the master account that you need. For example if there are four primary areas that you want to Grant access to divide those four areas up using four Gmail accounts and any number of computers or users can access those four areas based on which account you give that user or computer.

For example the master Gmail account may have a subfolder called education and another subfolder called Administration and so on and so forth.

If you want users a b c and d or computers A B C and D to all have access to the education area then you use the specific Gmail account that you assigned access to the education folder system in the master account.

Thank you, yes, that solves it. Thank you for confirming that this use case has been implemented by someone already. I'm going to test it soon.

1 Like

Yep :sweat_smile: it took me an embarrassing amount of time to realize differences between google drive and s3, what "premium features" s3 provides that are unavailable in google drive offering. That's one good example.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.