Yes, as far as I can remember. It's been a while now.
When I first set it up (transferring multiple TB from a local server) – the files were owned by the individual service account, which in turn messed up when you wanted to manipulate (i.e delete) files later on via a different user/service account.
This was not an issue using Team Drives, but was an issue using a regular users drive (where I had to put it due to the file limit on Team Drives).
The only way to get around that, was to give domain-wide delegation (I got the info from this post).
EDIT:
Just to make sure again, I did a test:
Config (just using non-crypt, does not matter):
[gdrive-sa2]
type = drive
client_id = <clientid>
client_secret = <clientsecret>
impersonate = user@domain.tld
scope = drive
root_folder_id = <folder id>
service_account_file = /home/<removed>/rclone/sa/rc05.json
Running with a newly created service account:
➜ rclone rclone lsd gdrive-sa2: -vv
2021/11/02 13:56:10 DEBUG : rclone: Version "v1.57.0" starting with parameters ["rclone" "lsd" "gdrive-sa2:" "-vv"]
2021/11/02 13:56:10 DEBUG : Creating backend with remote "gdrive-sa2:" 2021/11/02 13:56:10 DEBUG : Using config file from "/home/<user>/.config/rclone/rclone.conf" 2021/11/02 13:56:11 ERROR : : error listing: couldn't list directory: Get "https://www.googleapis.com/drive/v3/files?alt=json&fields=files%28id%2Cname%2Csize%2Cmd5Checksum%2Ctrashed%2CexplicitlyTrashed%2CmodifiedTime%2CcreatedTime%2CmimeType%2Cparents%2CwebViewLink%2CshortcutDetails%2CexportLinks%29%2CnextPageToken%2CincompleteSearch&includeItemsFromAllDrives=true&pageSize=1000&prettyPrint=false&q=trashed%3Dfalse+and+%28%271odGMeeHbKre4D8-O65Z-UDOwEyAokilI%27+in+parents%29&supportsAllDrives=true": oauth2: cannot fetch token: 401 Unauthorized
Response: { "error": "unauthorized_client",
"error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of th
e scopes requested."
}
2021/11/02 13:56:11 DEBUG : 4 go routines active
2021/11/02 13:56:11 Failed to lsd with 2 errors: last error was: couldn't list directory: Get "https://www.googleapis.com/drive/v3
/files?alt=json&fields=files%28id%2Cname%2Csize%2Cmd5Checksum%2Ctrashed%2CexplicitlyTrashed%2CmodifiedTime%2CcreatedTime%2CmimeType%2Cparents%2CwebViewLink%2CshortcutDetails%2CexportLinks%29%2CnextPageToken%2CincompleteSearch&includeItemsFromAllDrives=true&pageSize=1000&prettyPrint=false&q=trashed%3Dfalse+and+%28%271odGMeeHbKre4D8-O65Z-UDOwEyAokilI%27+in+parents%29&supportsAllDrives=true": oauth2: cannot fetch token: 401 Unauthorized Response: {
"error": "unauthorized_client",
"error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested." }
Running with new service account given domain-wide delegation to the google drive API:
➜ rclone rclone lsd gdrive-sa2: -vv
2021/11/02 13:56:54 DEBUG : rclone: Version "v1.57.0" starting with parameters ["rclone" "lsd" "gdrive-sa2:" "-vv"]
2021/11/02 13:56:54 DEBUG : Creating backend with remote "gdrive-sa2:"
2021/11/02 13:56:54 DEBUG : Using config file from "/home/<user>/.config/rclone/rclone.conf"
2021/11/02 13:56:54 ERROR : : error listing: couldn't list directory: Get "https://www.googleapis.com/drive/v3/files?alt=json&fields=files%28id%2Cname%2Csize%2Cmd5Checksum%2Ctrashed%2CexplicitlyTrashed%2CmodifiedTime%2CcreatedTime%2CmimeType%2Cparents%2CwebVie
wLink%2CshortcutDetails%2CexportLinks29%2CnextPageToken%2CincompleteSearch&includeItemsFromAllDrives=true&pageSize=1000&prettyPrint=false&q=trashed%3Dfalse+and+%28%271odGMeeHbKre4D8-O65Z-UDOwEyAokilI%27+in+parents%29&supportsAllDrives=true": oauth2: cannot fetch token: 401 Unauthorized
Response: {
"error": "unauthorized_client",
"error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}
2021/11/02 13:56:54 DEBUG : 4 go routines active
2021/11/02 13:56:54 Failed to lsd with 2 errors: last error was: couldn't list directory: Get "https://www.googleapis.com/drive/v3
/files?alt=json&fields=files%28id%2Cname%2Csize%2Cmd5Checksum%2Ctrashed%2CexplicitlyTrashed%2CmodifiedTime%2CcreatedTime%2CmimeType%2Cparents%2CwebViewLink%2CshortcutDetails%2CexportLinks%29%2CnextPageToken%2CincompleteSearch&includeItemsFromAllDrives=true&pageSize=1000&prettyPrint=false&q=trashed%3Dfalse+and+%28%271odGMeeHbKre4D8-O65Z-UDOwEyAokilI%27+in+parents%29&supportsAllDrives=true": oauth2: cannot fetch token: 401 Unauthorized
Response: {
"error": "unauthorized_client",
"error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}
Running SA with domain-wide delegation, and added to the group (that is added to the directory):
➜ rclone rclone lsd gdrive-sa2: -vv
2021/11/02 13:57:39 DEBUG : rclone: Version "v1.57.0" starting with parameters ["rclone" "lsd" "gdrive-sa2:" "-vv"]
2021/11/02 13:57:39 DEBUG : Creating backend with remote "gdrive-sa2:"
2021/11/02 13:57:39 DEBUG : Using config file from "/home/<user>/.config/rclone/rclone.conf"
-1 2021-11-01 13:23:55 -1 bio0l83s1stlol81sgujc8lhn2ig
-1 2018-03-25 01:02:32 -1 d4g7fbatdddhi2k49f7b59alv9t8
-1 2018-04-30 13:21:42 -1 erqd5fvaus2135q91v162n2gp3sfs
-1 2020-10-06 10:36:47 -1 l9qr7vlm2ivssehc0cbnqi22q1r4
2021/11/02 13:57:39 DEBUG : 6 go routines active
So afaik, all steps are needed.