Securing service key, googledrive

gcb · November 22, 2022, 3:06pm

What is the problem you are having with rclone?

summary: How to import my gdrive service file (private key) into the encrypted config file?

Hi. new user here. Using rclone to to pull/push files to gDrive when working with people that prefer that platform (while I prefer libreoffice locally)

I was using the Oauth token setup, but it's expiring every 7 days. Even moving my project to "production" status, i see that there's a new option on Google's UI that I can choose if my tokens live for "3 hours" or "7 days" so I do not think tokens will ever live longer than 7 days anyway.

This is not a very sensitive account, and i would much like to have 1yr+ tokens that I can invalidate if needed.

Now, I've created a service account and it is working fine, but i was surprised rclone didn't "import" the key/service-file as it does with my other sensitive information.

Am i missing something? i looked at Google drive

Run the command 'rclone version' and share the full output of the command.

rclone v1.60.1

os/version: arch (64 bit)
os/kernel: 6.0.9-arch1-1 (x86_64)
os/type: linux
os/arch: amd64
go/version: go1.19.3
go/linking: dynamic
go/tags: none

Which cloud storage system are you using? (eg Google Drive)

Google Drive

The command you were trying to run (eg `rclone copy /tmp remote:tmp`)

#!/bin/env bash
# >>> pull.sh

set -e

RCLONE=/usr/bin/rclone
RCLONEFLAGS=(
        -v
        --one-file-system # Don't cross filesystem boundaries
        --update # Skip files that are newer on the destination
        # --progress # show progress
        --refresh-times # Refresh the modtime of remote files
        # --stats-log-level INFO # Log level to show --stats output DEBUG|INFO
        --drive-acknowledge-abuse # Set to allow files which return cannotDownloadAbusiveFile to be downloaded
        --drive-export-formats "docx,xlsx,pptx,svg,pdf" # Comma separated list of preferred formats for downloading Google docs (default "docx,xlsx,pptx,svg")
        --drive-skip-shortcuts
)

RCLONESHAREDFLAGS=(
        --drive-shared-with-me # Only show files that are shared with me
)

RCOPY="${RCLONE} copy ${RCLONEFLAGS[@]}"
RCOPYSHARED="${RCOPY} ${RCLONESHAREDFLAGS[@]} --drive-shared-with-me"

set -x

${RCOPY} gcbdrive: /home/gcb/cloud/
${RCOPYSHARED} gcbdrive: /home/gcb/cloud-shared/

The rclone config contents with secrets removed.

Configuration complete.
Options:
- type: drive
- client_id: randomnumbersandletters.apps.googleusercontent.com
- client_secret: removed
- scope: drive
- pacer_min_sleep: 151ms
- token: json...removed
- team_drive: 
- service_account_file: /some_file.json

A log from the command with the `-vv` flag

1. everything works fine.

2. remove the plain text json file with my private key from my hardrive

3. Failed to create file system for "gcbdrive:": drive: failed when making oauth client: error opening service account credentials file: open /some_file.json: no such file or directory

asdffdsa · November 22, 2022, 4:44pm

hello and welcome to the forum,

perhaps remove or comment out
service_account_file: /some_file.json

or

create two remotes, one using client_id, one use service file

gcb · November 22, 2022, 4:52pm

I will migrate to service ID. that is fine.

I'm not trying to resolve that error, that was just to show that the unencrypted file is required for the copy.

All that file have is a json. Same as the token. But the token is fully copied over rclone's own encrypted config file.

Why can't the service file json can't be copied the same way? am i preventing it somehow or is this feature missing?

asdffdsa · November 22, 2022, 4:58pm

sorry, not sure what you mean.

can embed the service file info into the config file

[gdrivesac1]
type = drive
scope = drive
service_account_credentials = {"type": "service_account", "project_id": "redacted",   "private_key_id": "redacted",   "private_key": "redacted",   "client_email": "redacted",   "client_id": "redacted",   "auth_uri": "https://accounts.google.com/o/oauth2/auth",   "token_uri": "https://oauth2.googleapis.com/token",   "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",   "client_x509_cert_url": "redacted" }

gcb · November 22, 2022, 5:31pm

Thanks! that is exactly what I wanted.

I was just following whatever rclone config was suggesting/doing, and it defaulted to pointing to the unencrypted file. Having the contents like you showed in the config file will encrypt it instead, which is what I wanted.

system · November 25, 2022, 5:31pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.