Google API服务帐户.即使使用域范围的委托访问,也只能看到服务帐户的驱动器 [英] Google API Service Account. Can only see service accounts drive even with Domain Wide Delegation Access
问题描述
我当前正在使用一个启用了域范围委派的Google服务帐户(我点击了此链接 https://developers.google.com/identity/protocols/oauth2/service-account ,以及此链接 https://www.googleapis.com/auth/drive 范围.已经下载了服务帐户的JSON凭证并将它们与python脚本放置在同一目录中,问题是当我假冒另一个用户在我的域中说User2时,我尝试列出User2的驱动器中的文件.在我的服务帐户的驱动器中获取文件.
I'm currently using a Google Service Account that has domain wide delegation enabled ( I followed this link https://developers.google.com/identity/protocols/oauth2/service-account, and this link https://developers.google.com/admin-sdk/reports/v1/guides/delegation), and has "https://www.googleapis.com/auth/drive scope enabled. I have downloaded the json credentials for the service account and placed them in the same directory as my python script. The problem is when I impersonate another user lets say User2 in my domain, and I try to list out the files in User2's drive. I only get the files in my service account's drive.
我有一段模拟User2的代码.
I have a snippet of the code doing the impersonation of User2.
def auth():
domain = 'domain'
# impersonate this user
user = 'testuser' # id only (ie. without @domain)
#scopes = ['https://www.googleapis.com/auth/drive',]
key_file = 'service_account.json'
subject = ''.join([user,'@',domain])
delegated_credentials = service_account.Credentials.from_service_account_file(key_file)
delegated_credentials.with_subject(subject)
drive_service = googleapiclient.discovery.build('drive', 'v2', credentials=delegated_credentials)
return drive_service
然后,稍后我尝试获取用户mydrive中的文件列表.
Then later I'm trying to get the list of files in a users mydrive.
children = service.children().list(folderId='root', **param).execute()
for child in children.get('items', []):
item = service.files().get(fileId=child['id']).execute()
以上内容始终是服务帐户的我的驱动器"中的入门PDF"
Above item is always the "Getting Started PDF" in the service account's my drive
基本上,整个目的是以编程方式将任何文件夹(及其内容)的所有权更改为同一G-Suite中的另一个用户.
Basically the whole purpose of this is to programatically change ownership of any folder(plus its contents) to anther user in the same G-Suite.
而且,我不想像其他许多帖子所说的那样与我的服务帐户共享文件夹.在我冒充所有者的情况下,情况并非如此.
Also, I don't want to share a folder with my service account as many other posts say. This shouldn't be the case as I'm impersonating the owner.
如果这不是发布问题的正确方法,我深表歉意.这是我的第一篇文章.
I apologize if this is not the correct way to post a question. This is my first post.
推荐答案
答案:
您的身份验证流程存在两个问题:缺少作用域和变量分配错误.
- 分配
delegated_credentials变量时,委派的凭据中缺少作用域. - 添加主题时,您不会分配新委派的凭据.
- You are missing scopes from your delegated credentials when you assign the
delegated_credentialsvariable. - You are not assigning your newly delegated credentials when you add a subject.
您可以在准备进行授权的API调用中看到文档,在定义credentials对象 时,您必须 指定要在请求中使用的范围.
As you can see in the Preparing to make an authorized API call documentation, when defining your credentials object you must specify which scopes you will be using in the request.
然后,在将范围添加到凭据时,您需要将此范围分配给一个变量,该变量可以传递给Drive服务的内部版本.
Then, when adding the scope to the credentials, you need to assign this to a variable which can be passed to the build of the Drive service.
要修复第1点,您需要取消注释范围并更改此行:
To fix point 1, you need to uncomment your scopes and change this line:
delegated_credentials = service_account.Credentials.from_service_account_file(key_file)
包括范围:
scopes = ['https://www.googleapis.com/auth/drive']
delegated_credentials = service_account.Credentials.from_service_account_file(
key_file, scopes=scopes)
此外,在构建驱动器服务之前,您需要将delegated_credentials.with_subject(subject)分配给自身:
Also, you will need to assign the delegated_credentials.with_subject(subject) to itself before building the drive service:
delegated_credentials = delegated_credentials.with_subject(subject)
drive_service = googleapiclient.discovery.build(
'drive', 'v2', credentials=delegated_credentials)
希望对您有帮助!
这篇关于Google API服务帐户.即使使用域范围的委托访问,也只能看到服务帐户的驱动器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
