This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Google Sheet API stopped working post restricting Drive's External sharing to Allowlisted domains

Posted on 04-19-2023 07:32 AM
asachan
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Recently we changed Google Drive's external sharing setting on one of our Google workspace's tenant. 

Path to settings - Home > Apps > Google Workspace > Drive and Docs > Sharing Settings > Sharing outside of ABC Inc > AllowListed domains.

There was an GCP project where developers were accessing Google Spreadsheet using Google Sheet API using service acocunt.

After that change , it stopped working and getting error HTTP error 403 . The caller does not have permissions.

When we try to share that particular Google Sheet with service account, our settings doesn't allow as it is not from allowlisted domain and when try to allowlist domain. Google Admin console doesn't allow to list as it is not compatible.

Tried using by granting domain wide delegation to Client ID and scope. It still doesn't work.

 

What should we check?

 

 

 

 

Solved Solved
0 3 1,072
Topic Labels
Jump to Solution
0 Likes
2 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
asachan
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

I have resolved the issue using Domain wide delegation. 

View solution in original post

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
goldyarora
Staff
Reply posted on --/--/---- --:-- AM

DwD is very broad and not recommended unless you don't have any other option to make it work, in your case, you should consider following to add more security:
1. Create a google group and add your service account to it.
2. Create a trust rule, allowing this group to have access.

This way, you would be able to apply granular scope if needed.

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
asachan
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

I have resolved the issue using Domain wide delegation. 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
goldyarora
Staff
Reply posted on --/--/---- --:-- AM

DwD is very broad and not recommended unless you don't have any other option to make it work, in your case, you should consider following to add more security:
1. Create a google group and add your service account to it.
2. Create a trust rule, allowing this group to have access.

This way, you would be able to apply granular scope if needed.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
asachan
Bronze 3
Bronze 3
In response to goldyarora
Reply posted on --/--/---- --:-- AM

in my case, I have mentioned only specific file based scope which is being accessed by the app.

and the user has cloud identity license. Trust rule may not work for this user so I didn't test this feature. Google's documentation for trust rule - Google Workspace Help

I appreciate your help. Thanks.

 

 

Jump to Solution
0 Likes
Top Labels in this Space