What is the problem you are having with rclone?
I have defined various Google Drives as remotes "src-companydata" and one "dst-backups". The idea being to do a periodic sync and thus get a backup. In order to be sure that rclone does not modify our company drives, I have defined all the source drives scopes as read-only, in order to be sure that rclone does not somehow modify our company data.
It looks like, when synchronising gdrive-to-gdrive, rclone is not honoring the security scopes defined in the rclone.conf. My suspicion is that this is linked somehow to the file type (Google Form) and the fact that I use server-side-across-configs. Possibly some weird interaction with the semantics of the API you use to copy files in a google-to-google way?
The src-companydata: remote is defined in rclone.conf as scope "drive.readonly" and the dst-backups: is defined as scope "drive". Both use the same service account and oAuth client, using impersonation:
[dst-backups]
global.checksum = true
client_id = xxxxx
client_secret = xxxxx
service_account_file = config/gworkspace-service-account.json
impersonate = svc-backup@xxxxx.com
type = drive
scope = drive
team_drive = xxxxx
[src-companydata]
client_id = xxxxx
client_secret = xxxxx
service_account_file = config/gworkspace-service-account.json
impersonate = svc-backup@xxxxx.com
type = drive
scope = drive.readonly
team_drive = xxxxx
When running rclone sync I have observed rclone creating “Copy of” files in src-companydata, which is should not be able to do since the scope is drive.readonly
Run the command 'rclone version' and share the full output of the command.
rclone v1.71.0
- os/version: debian 11.11 (64 bit)
- os/kernel: 5.10.0-35-cloud-amd64 (x86_64)
- os/type: linux
- os/arch: amd64
- go/version: go1.25.0
- go/linking: static
- go/tags: none
Which cloud storage system are you using? (eg Google Drive)
Google Drive
The command you were trying to run (eg rclone copy /tmp remote:tmp)
rclone sync src-companydata: dst-backups:companydata/snapshot --backup-dir dst-backups:companydata/archive -vv --log-file bug.log
With the following environment variables:
export RCLONE_CHECKERS=1
export RCLONE_TPSLIMIT=20
export RCLONE_DRIVE_PACER_MIN_SLEEP=10ms
export RCLONE_CONFIG="config/rclone.conf"
export RCLONE_DRIVE_SKIP_SHORTCUTS=true
export RCLONE_DRIVE_SERVER_SIDE_ACROSS_CONFIGS=true
export RCLONE_FAST_LIST=true
The rclone config contents with secrets removed.
[dst-backups]
global.checksum = true
client_id = xxxxx
client_secret = xxxxx
service_account_file = config/gworkspace-service-account.json
impersonate = svc-backup@xxxxx.com
type = drive
scope = drive
team_drive = xxxxx
[src-companydata]
client_id = xxxxx
client_secret = xxxxx
service_account_file = config/gworkspace-service-account.json
impersonate = svc-backup@xxxxx.com
type = drive
scope = drive.readonly
team_drive = xxxxx
A log from the command with the -vv flag
This log contains too much sensitive company data unfortunately, and I have not been able to reproduce in a more "minimalist" setting.