Subject: Error 400 push.webhookUrlInvalid using Drive API files.watch with Pub/Sub Address

GCP Project ID: scriptoptimizer GCP Project Number: 860838752573 APIs Involved: Google Drive API (v3), Cloud Pub/Sub API

Problem Description:

I am trying to set up Google Drive push notifications to a Cloud Pub/Sub topic to trigger automated processing whenever a file is uploaded to a specific folder. I am using the files.watch method from the Google Drive API v3. However, the API call consistently fails with an HTTP 400 Bad Request error. The response body indicates {"reason": "push.webhookUrlInvalid", "message": "Invalid webhook URL. Must be a valid URL starting with https"}. This suggests the API is incorrectly validating the Pub/Sub topic address as if it were a standard HTTPS URL, even though the documentation states that the projects/PROJECT_ID/topics/TOPIC_ID format is correct for this purpose.

Details of the Failing Request:

• Endpoint: POST https://www.googleapis.com/drive/v3/files/{FOLDER_ID}/watch?supportsAllDrives=true&alt=json
• Target Folder ID: 1ighcym8WzzMUln7gGeAlW_7kiCFqkPkE (Also tested with a new folder 1zI0_aAiLxwsDH-uUsesUGq1iW-PjsbQY with the same result).
• Request Body Used:
  JSON

   

  {
    "id": "[GENERATED_UUID]",
    "type": "web_hook",
    "address": "projects/scriptoptimizer/topics/drive-updates-topic"
  }

• Error Response Received (Body):
  JSON

   

  {
    "error": {
      "errors": [
        {
          "domain": "push",
          "reason": "push.webhookUrlInvalid",
          "message": "Invalid webhook URL. Must be a valid URL starting with https"
        }
      ],
      "code": 400,
      "message": "Invalid webhook URL. Must be a valid URL starting with https"
    }
  }

Troubleshooting Steps Performed:

1. Verified API Enablement: Confirmed that Google Drive API, Cloud Pub/Sub API, Cloud Functions API, and Cloud Run API are enabled in the project.
2. Verified User Permissions (GCP): Confirmed that the user executing the setup (hola@ldcastro.com) has the Owner role on the GCP project scriptoptimizer.
3. Verified User Permissions (Drive Folder): Confirmed that the user hola@ldcastro.com is the Owner of the target Google Drive folder (1ighcym8WzzMUln7gGeAlW_7kiCFqkPkE).
4. Verified Drive Service Agent Permissions (Pub/Sub): Confirmed via the GCP Console UI that the service account service-860838752573@gcp-sa-drive.iam.gserviceaccount.com has the roles/pubsub.publisher (Pub/Sub Publisher) role granted on the topic projects/scriptoptimizer/topics/drive-updates-topic. (Note: Adding this permission via gcloud initially failed with INVALID_ARGUMENT, but adding it via the Console UI was successful).
5. Tested with Python Client: Used a Python script (setup_watch.py) with google-api-python-client library and OAuth 2.0 credentials (type: "Desktop app", flow: InstalledAppFlow). Authentication succeeds, but the service.files().watch(...).execute() call fails with the detailed 400 push.webhookUrlInvalid error shown above. Enabled detailed HTTP logging, confirming the request (URL, headers, body) appears correct according to documentation.
6. Tested with New Folder: The same API call from Python fails with the identical 400 error when targeting a completely new, empty folder (1zI0_aAiLxwsDH-uUsesUGq1iW-PjsbQY) created by the user in their "My Drive".
7. Tested with Google Apps Script: Attempted to set up the watch using the Advanced Drive Service from Apps Script (linked to the same GCP project). This also failed with a 400 error, with the message WebHook callback must be HTTPS, suggesting a similar incorrect validation issue within that environment as well.
8. Two-Step Verification (2FA): Confirmed that the user account uses 2FA, but the OAuth authentication flow completes successfully before the API call fails. This does not seem to be the cause of the specific 400 error.

Hypothesis:

Given that configurations and permissions appear correct according to documentation and extensive checks, and the error is consistent across different clients (Python, Apps Script) and different target folders, we suspect a possible backend issue or bug within the Google Drive API (files.watch endpoint) that is incorrectly applying an HTTPS URL validation to the Pub/Sub topic address for this specific project or account.

Request:

Could you please investigate why the drive.files.watch API call targeting a Pub/Sub topic address is failing with the push.webhookUrlInvalid / 400 Bad Request error in our project scriptoptimizer, despite the configurations and permissions appearing correct?

Thank you for your assistance.