Google Drive API - 从服务帐户转让所有权 [英] Google Drive API - Transfer ownership from Service Account
问题描述
我试图将所有权从服务帐户创建文档转让给使用以下代码驻留在同一Google Apps帐户中的其他用户,但收到以下错误:
资源正文包含不可直接写入的字段。 [403]
错误[消息[资源正文包含不可直接写入的字段]位置[ - ]原因[fieldNotWritable]域[全局]]
var service = GetService();
尝试
{
var permission = GetPermission(fileId,email);
permission.Role =owner;
var updatePermission = service.Permissions.Update(permission,fileId,permission.Id);
updatePermission.TransferOwnership = true;
return updatePermission.Execute();
catch(Exception e)
{
Console.WriteLine(发生错误:+ e.Message);
}
返回null;
注释掉// permission.Role =owner;返回以下错误:
当权限角色为所有者时,必须启用transferOwnership参数。 [403]错误[消息[必须在权限角色为'所有者'时启用transferOwnership参数。]位置[transferOwnership - 参数]原因[禁止]域[全局]]
分配任何其他权限都可以正常工作。因此,这是服务帐户无法将所有权转让给任何其他未使用@ gserviceaccount.com电子邮件地址(即our-project@appspot.gserviceaccount.com> email@domain.com)的帐户的限制。 ?
email@domain.com电子邮件地址已创建并在Google Apps中进行管理。
这种情况下,这是不可实现的,任何指向下一步看什么?我们需要多个用户才能创建临时文档,并通过API即时分配权限并转让所有权。
谢谢
我找到了答案,并发布给其他任何遇到此问题的人。
- 您无法使用Google建议的'服务帐户密钥JSON文件'。
- 您需要使用p.12证书文件进行身份验证。 >
-
创建用于模拟帐户的驱动器服务的代码如下所示。
$ b $ pre $公共DriveService GetService(字符串certificatePath,字符串certificatePassword,字符串googleAppsEmailAccount,字符串emailAccountToMimic,bool allowWrite = true)
{
var certificate = new X509Certificate2(certificatePath,certificatePassword,X509KeyStorageFlags.Exportable);
$ b $ var var credential = new ServiceAccountCredential(
new ServiceAccountCredential.Initializer(googleAppsEmailAccount)
{
Scopes = new [] {allowWrite?DriveService.ScopeDrive:DriveService。 Scope.DriveReadonly},
User = emailAccountToMimic
} .FromCertificate(certificate));
//创建服务。
返回新的DriveService(新的BaseClientService.Initializer
{
HttpClientInitializer =凭证,
ApplicationName = ApplicationName
});
}
-
您需要按照列出的步骤此处将域范围的权限委托给服务帐户。
- 在完成第4步后允许5到10分钟。
- 现在可以在'emailAccountToMimic'用户下创建文档,并在创建过程中将其设置为所有者。
I am attempting to transfer ownership from a Service Account created document to another user who resides within the same Google Apps account using the code below but am getting the following error
The resource body includes fields which are not directly writable. [403] Errors [Message[The resource body includes fields which are not directly writable.] Location[ - ] Reason[fieldNotWritable] Domain[global]]
var service = GetService();
try
{
var permission = GetPermission(fileId, email);
permission.Role = "owner";
var updatePermission = service.Permissions.Update(permission, fileId, permission.Id);
updatePermission.TransferOwnership = true;
return updatePermission.Execute();
}
catch (Exception e)
{
Console.WriteLine("An error occurred: " + e.Message);
}
return null;
Commenting out // permission.Role = "owner"; returns the error below
The transferOwnership parameter must be enabled when the permission role is 'owner'. [403] Errors [Message[The transferOwnership parameter must be enabled when the permission role is 'owner'.] Location[transferOwnership - parameter] Reason[forbidden] Domain[global]]
Assigning any other permissions works fine. Therefore, is this a limitation of the Service Account not being able to transfer ownership to any other account that doesn't use the @gserviceaccount.com email address (i.e. our-project@appspot.gserviceaccount.com > email@domain.com)?
The email@domain.com email address has been created and is managed within Google Apps.
In the case, it is not achievable, any pointers on where to look next? We need multiple users to have the ability to create documents ad hoc and assign permissions and transfer ownership on the fly via the API.
Thanks
I have found the answer and am posting for anyone else who comes across this question.
- You can not use the 'Service Account Key JSON file' as recommended by Google.
- You need to use the p.12 certificate file for authentication.
The code to create a drive service for mimicking accounts is as follows.
public DriveService GetService(string certificatePath, string certificatePassword, string googleAppsEmailAccount, string emailAccountToMimic, bool allowWrite = true) { var certificate = new X509Certificate2(certificatePath, certificatePassword, X509KeyStorageFlags.Exportable); var credential = new ServiceAccountCredential( new ServiceAccountCredential.Initializer(googleAppsEmailAccount) { Scopes = new[] { allowWrite ? DriveService.Scope.Drive : DriveService.Scope.DriveReadonly }, User = emailAccountToMimic }.FromCertificate(certificate)); // Create the service. return new DriveService(new BaseClientService.Initializer { HttpClientInitializer = credential, ApplicationName = ApplicationName }); }You need to follow the steps listed here to delegate domain-wide authority to the service account.
- Allow 5 to 10 minutes after completing step 4.
- You can now create documents under the 'emailAccountToMimic' user which sets them to be the owner during creation.
这篇关于Google Drive API - 从服务帐户转让所有权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
