将Google云端硬盘文档访问权限列入白名单服务帐户 [英] Whitelisting Service Account for Google Drive Document Access

问题描述

我有一个通过Google开发者控制台创建的服务帐户，专门用于通过API访问Google云端硬盘以检索文档.但是最近我更改了我的G-suite Google云端硬盘设置，以具有安全限制，即文档只能在组织外部共享到白名单域中，而不能为共享目的而广泛打开.

在更改此安全设置之前，让我的服务帐户访问文件被明确授予访问权限，一切都可以正常工作.但是，更改之后，在查看以前有权访问的文件上的共享设置后，现在说该帐户无法被授予访问权限，因为该策略集禁止向该用户共享项目，因为该用户不在兼容的白名单域中.

我确实尝试过在我的G-suite管理控制台中将gserviceaccount.com列入白名单，但这仍然没有带来好运.

还有其他人有类似的问题吗?有什么好的解决办法吗?

谢谢！

解决方案

您可能要完成将域范围的权限委派给服务帐户:

1. 转到您的G Suite域的管理控制台.
2. 从控件列表中选择安全性.如果未列出安全性，请从页面底部的灰色栏中选择更多控件，然后从列表中选择安全性控件.如果看不到控件，请确保您以域的管理员身份登录.
3. 从选项列表中选择显示更多，然后选择高级设置.
4. 在身份验证部分中选择管理API客户端访问权限.
5. 在客户名称字段中，输入服务帐户的客户ID .您可以在服务帐户页面中找到服务帐户的客户ID.
6. 在一个或多个API范围字段中，输入应授予您的应用程序访问权限的范围列表.例如，如果您的应用程序需要对Google Drive API和Google Calendar API进行域范围的访问，请输入:https://www.googleapis.com/auth/drive，https://www.googleapis.com/auth/calendar.
7. 点击授权.

这将授权您的应用以您域中的用户身份进行应用调用.但是，请注意以下事项:

尽管您可以在从G Suite域运行的应用程序中使用服务帐户，但服务帐户不是G Suite帐户的成员，并且不受G Suite管理员设置的域策略的约束.例如，在G Suite管理控制台中设置的限制G Suite最终用户共享域外文档的能力的策略将不适用于服务帐户.

请参见执行G Suite域范围的授权了解更多信息.

I have a service account created through the Google developer console specifically for API access to Google Drive to retrieve documents. However recently I have changed my G-suite Google Drive settings to have the security restriction that documents can only be shared outside of my organization to whitelisted domains rather than it being wide-open for sharing purposes.

Prior to this security setting change everything was working fine having my service account access documents it has specifically been granted access to. However after the change when viewing the sharing settings on a file that it previously had access to it now says the account cannot be granted access as the policy set prohibits the sharing of items to this user as its not in a compatible whitelisted domain.

I did try whitelisting gserviceaccount.com within my G-suite admin console but this still brought no luck.

Anyone else have a similar issue? Any good solution?

Thanks!

解决方案

You may want to complete the following steps given in Delegating domain-wide authority to the service account:

1. Go to your G Suite domain’s Admin console.
2. Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls. If you can't see the controls, make sure you're signed in as an administrator for the domain.
3. Select Show more and then Advanced settings from the list of options.
4. Select Manage API client access in the Authentication section.
5. In the Client Name field enter the service account's Client ID. You can find your service account's client ID in the Service accounts page.
6. In the One or More API Scopes field enter the list of scopes that your application should be granted access to. For example, if your application needs domain-wide access to the Google Drive API and the Google Calendar API, enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar.
7. Click Authorize.

This will give authority to your app to make application calls as users in your domain. However, please note on this:

Although you can use service accounts in applications that run from a G Suite domain, service accounts are not members of your G Suite account and aren’t subject to domain policies set by G Suite administrators. For example, a policy set in the G Suite admin console to restrict the ability of G Suite end users to share documents outside of the domain would not apply to service accounts.

See Perform G Suite Domain-Wide Delegation of Authority for more information.

这篇关于将Google云端硬盘文档访问权限列入白名单服务帐户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！