Google服务帐户和工作表权限 [英] Google service account and sheets permissions
问题描述
我有一个Java后端(spring + google-oauth-client),它应该能够访问Google.sheets并从中解析一些数据.
I've got a Java backend (spring + google-oauth-client) that should be able to access Google.sheets and parse some data from there.
首先,我在本地后端部署中实施了常规的三足" OAuth 2.0身份验证,效果很好,但是由于后端将部署在云中而没有任何浏览器,所以这不是最佳选择.
First I implemented regular "3-legged" OAuth 2.0 authentication on my local backend deploy, it worked fine, but as backend will be deployed in cloud without any browser etc it's not the best option.
因此,我决定使用服务帐户OAuth流程:创建了google服务帐户并重构了我的代码以使用它而不是AuthCodeFlow,但是我看到了403 Forbidden呼叫者没有权限". 据我了解,服务帐户不是Google的我"帐户,因此我必须授予它访问我"帐户上的该工作表的权限,但是由于我公司的政策,我无法这样做,因此禁止与其他人共享文档的域,并且由于服务帐户具有@ myprject.iam.gserviceaccount.com域,因此我无法访问该域.
So I decided to use service accounts OAuth flow: created google service account and refactored my code to use it instead of AuthCodeFlow, but I saw 403 Forbidden "The caller doesn't have permissions". As I understand service account is not 'me' for google, so I have to give it access to that sheet on 'my' account, but I can't do that because of my company's policy, that forbids to share documents with someone out of our domain, and as service account has @myprject.iam.gserviceaccount.com domain I couldn't give access to it.
也许有一种解决方法,因为此服务帐户是从我的拥有所有者对该工作表访问权限的帐户中创建的? 如果没有,那么在这种情况下(无需用户参与),服务器到服务器OAuth的最佳方法是什么?
Maybe there is a way to workaround that, as this service account was created from my account that has owner access to that sheet? If no, what will be the best approach for server-to-server OAuth in that case (without user involvement)?
p.s.我可以尝试与我的服务台进行沟通,并询问他们是否可以将此gserviceaccount.com添加到白名单等,但是这将花费大量时间,而且结果也无法保证.
p.s. I can try to communicate my helpdesk and ask them if they could add this gserviceaccount.com to white list etc, but it will take pretty much time and also result is not guaranteed..
谢谢!
推荐答案
服务帐户访问工作表的唯一方法是与服务帐户电子邮件地址共享工作表.您无法更改由Google设置的服务帐户电子邮件地址.
The only way for a service account to access the sheet is if you share the sheet with the service account email address. You can't change the service account email address this is set by Google.
您可以将工作表设置为公开,然后便可以阅读该表,但是我觉得您的公司也不会喜欢这个主意.
You can set the sheet to public it will then be able to read it but I have a feeling your company won't like that idea either.
我建议您返回到oauth2选项,并在计算机上对其进行身份验证,然后将刷新令牌复制到它应该能够使用的云服务器上.
I suggest you go back to your oauth2 option and authenticate it on your machine and copy the refresh token up to the cloud server it should then be able to use that.
这篇关于Google服务帐户和工作表权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
