This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

GCP service account that only Google Workspace enterprise can access, and not Google

Posted on 10-17-2023 07:43 PM
AnchalNigam
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Our organization is on Google Workspace enterprise.

We create projects in GCP so we can get tokens to make Google Workspace API calls (Google Drive and Google Sheets).

I want to write a program that will run on a server that will create Google Sheet files in Google Drive by making the appropriate Google Sheets API and Google Drive API calls.

Since this is a human-less automation, we don't have a way for a user to authorize the program to have access to Google Drive and Google Sheets. This program won't be acting on behalf of a user so we can't have the program ask the user to go through the normal Oauth flow.

What options do we have?

I was reading that we can create service IDs in our GCP project but according to https://cloud.google.com/iam/docs/service-accounts-create I can see that service accounts are created in the iam.gserviceaccount.com domain. The problem is that, for the service account to have access to our Google Drive files we have to whitelist the iam.gserviceaccount.com but if we whitelist iam.gserviceaccount.com then ALL service accounts, even the ones outside of our organization, can access our Google Drive.

Or am I misunderstanding something?

0 10 3,152
Topic Labels
0 Likes
10 REPLIES 10

Posted on --/--/---- --:-- AM
luis_alegria
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hi

I don't know about services accounts, but I know some about apps scripts.

In some projects I have achieved things like you are talking about.

I did a webapp available for anyone, protected with a API KEY token and this script is like a simple API. So, with apps scripts you can:

  • Call Drive or sheet APIs
  • Receive requests with GET or POST
  • Return a JSON
  • You define your own API KEY
  • When you deploy the webapp, google assign a unique URL where any service/app/user can make requests

Here you can find some information about: https://developers.google.com/apps-script/guides/web

For me, this was a powerful approach to solve things like that and hope helps you.

 

My kind regards

0 Likes

Posted on --/--/---- --:-- AM
AnchalNigam
Bronze 2
Bronze 2
In response to luis_alegria
Reply posted on --/--/---- --:-- AM

In most organizations using an enterprise account, they don't allow web apps to be accessible by everyone. Even if it is protected by API key, they won't allow it. 

0 Likes

Posted on --/--/---- --:-- AM
mhawksey
Google Developer Expert
Google Developer Expert
Reply posted on --/--/---- --:-- AM

Your right to be looking at service accounts. Something to keep in mind is Google Drive files will always need a Workspace account to create them. You can use a service account to impersonate any account in your Workspace domain. This account can be a named person or sometimes domains use a functional account. This still requires a Workspace licence, but used in scenarios like this for drive file creation. 

There are various tutorials for using service accounts in Google Workspace. Do you have a preferred programming language/stack?

0 Likes

Posted on --/--/---- --:-- AM
AnchalNigam
Bronze 2
Bronze 2
In response to mhawksey
Reply posted on --/--/---- --:-- AM
@mhawksey wrote:

Google Drive files will always need a Workspace account to create them

So a service account cannot create Google content?

@mhawksey wrote:

There are various tutorials for using service accounts in Google Workspace.

 We are doing things in Java, Python, and JavaScript. But if you have a good document/tutorial, we can figure it out.

But I am not sure about using service accounts. The problem is that, for the service account to have access to our Google Drive files we have to whitelist the iam.gserviceaccount.com but if we whitelist iam.gserviceaccount.com then ALL service accounts, even the ones outside of our organization, can access our Google Drive.

0 Likes

Posted on --/--/---- --:-- AM
luis_alegria
Bronze 5
Bronze 5
In response to AnchalNigam
Reply posted on --/--/---- --:-- AM

Hi

Just sharing this 2 links with some code to get an idea about using apps scripts to solve your challenge. It is not the exactly solution but could give you an idea.

Think it as you are creating a webhook, this webhook will be called by you app(and it can receive params) and the appscript will create the Spreadsheets and thinks inside Drive and returns some JSON response, maybe the Spreadsheet ID or something like that

Just my 2 cents.

I hope this helps

Regards

0 Likes

Posted on --/--/---- --:-- AM
AnchalNigam
Bronze 2
Bronze 2
In response to luis_alegria
Reply posted on --/--/---- --:-- AM

Yeah, we thought about this but there is no way to make our program call the web app because it needs to be a Google account in our organization.

0 Likes

Posted on --/--/---- --:-- AM
luis_alegria
Bronze 5
Bronze 5
In response to AnchalNigam
Reply posted on --/--/---- --:-- AM

Oh I see

Well, there is platform called make.com / integromat.

https://www.make.com/en/integrations/gateway

https://www.make.com/en/help/app/google-sheets#create-a-spreadsheet

It have a webhook option and you can connect another application like Google Spreadsheets, and create a workflow, so after the webhook receives  data you can create a Google Spreadsheet and return the ID and so on.

To do this, you must connect make with some google account in your domain, well this will be possible if there isn't a rule to block it.

The thing is that make works in behalf the account you connected. Make do all the oauth work.

You just need call the webhook from your app. I think it will be necessary to define a KEY (you define it) to check only your app call this webhook.

Maybe, it could be useful to you. This is in a way, very similar to the webapp solution but using external tools.

 

Regards

0 Likes

Posted on --/--/---- --:-- AM
mhawksey
Google Developer Expert
Google Developer Expert
Reply posted on --/--/---- --:-- AM
@AnchalNigam wrote:

So a service account cannot create Google content?

You can but as you are finding there are security considerations. One approach is described here where the service account is added to a specified folder. This might give you what you need in terms of only adding a single service account to a defined folder.

Posted on --/--/---- --:-- AM
AnchalNigam
Bronze 2
Bronze 2
In response to mhawksey
Reply posted on --/--/---- --:-- AM

In our enterprise environment we have locked down our Google Drive so it's only available to our organization or whitelisted domains. In order for us to give the service account access to that Google Drive, before we can give the service account access to the drive, we have to add the service account domain (iam.gserviceaccount.com) to the whitelist of the Google Drive. We can't do that because then that would allow folks to add ANY service account to the Google Drive, even ones that are not in our enterprise.

0 Likes

Posted on --/--/---- --:-- AM
mhawksey
Google Developer Expert
Google Developer Expert
In response to AnchalNigam
Reply posted on --/--/---- --:-- AM

I see - in this case the only solution I can see without changing your domain configuration is creating a functional account in your domain (e.g. document.librarian@example.com) and either authenticating your script to run your code or use a service account to impersonate the account that has been created. 

0 Likes
Top Solution Authors
View all