8

Does anyone know which configurations should be done to grant Google service account an access to a Team Drive which is already created?

The idea is to use a service account in a .NET backend application for uploading/downloading files to/from Team Drive which is shared among company employees. For example, company has its company.com domain and provides name.surname@company.com user accounts at Google. Also there is a Team Drive for the employees. One of those accounts (not admin) was used to create the service account and these steps were done so far:

  • Created a project for an organization in Google Cloud Platform
  • Enabled Google Drive API
  • Created a service account
  • Created a key for that service account
  • Assigned Editor/Owner role in IAM tab
  • Enabled G Suite Domain-wide Delegation for the service account using the Client ID as described here using G Suite admin account.

I couldn't find any mention in the documentation about how to grant the service account an access to Team Drive so that all uploaded files/folders could be visible to all users who have access to the Team Drive. Any useful link on how to do that is appreciated a lot.

For now, when I create a folder or upload a file using the service account, it puts them in a private Drive which belongs to the service account only.

There could be a possible workaround: to upload the files to service account's private drive and share them with the users (this is not preferred by the requirements), but still, if someone tells how exactly to do this, I'll be happy.

DaImTo
  • 72,534
  • 21
  • 122
  • 346
Ghukas
  • 546
  • 1
  • 12
  • 26
  • I don't have access so cant help more then link you the documentation https://developers.google.com/drive/v3/web/about-auth#perform_g_suite_domain-wide_delegation_of_authority https://developers.google.com/admin-sdk/reports/v1/guides/delegation You should be able to add the service account email address like you would add any other user. – DaImTo Apr 06 '17 at 06:35
  • This helped, so wrap your comment in an answer so that I am able to accept it. – Ghukas Apr 06 '17 at 18:56
  • Why don't you answer the question with what you found. You can use the points all I did was show you the documentation – DaImTo Apr 06 '17 at 18:58

1 Answers1

8

Here are the steps to grant access based on the documentation from the comment in addition to the steps in the question.

These steps require an account with Services and Apps admin role.

  • Sign-in to Google Admin and go to Apps -> Google G Suite -> Drive and Docs -> Sharing Settings sub-menu and select ON from the Sharing options
  • Click on the Manage Team Drives sub-menu and click on the Team Drive you want to grant access to
  • Click on ADD MEMBERS in the Member access pop-up
  • Enter the service account Account ID (email), choose access level (I chose Full), check the Skip sending notification and click on SEND

Assuming the authentication part is set up properly, here is a simple code which gets service account's Team Drives:

var teamDriveList = service.Teamdrives.List();
    
teamDriveList.Fields = "teamDrives(kind, id, name)";

var teamDrives = teamDriveList.Execute().TeamDrives;

if (teamDrives != null && teamDrives.Count > 0)
{
    foreach (var drive in teamDrives)
    {
        Console.WriteLine("{0} ({1})", drive.Name, drive.Id);
    }
}

More on the Fields parameter syntax here

0m3r
  • 11,189
  • 14
  • 28
  • 60
Ghukas
  • 546
  • 1
  • 12
  • 26
  • Thanks, followed the bullet list of actions and it now works for me. ` $results = $driveService->teamdrives->listTeamdrives();` now shows the teamdrives for which I added my service account Account ID (email) as a member. – Nick Weavers Mar 29 '18 at 09:13
  • 2
    Just a note. Rather than login to g suite as an admin, I was able to do this by creating the team drive as my own user and just inviting the service account by email from the normal team drive interface. Just check the "Skip sending notification" box in the invite as you would do in g suite. – stuckj Jul 09 '18 at 18:43
  • In my case it was my own account with no admin role. I used it to create the service account but the Team Drive itself was created by admin. Anyway it's the same invite_and_skip_notification scenario. – Ghukas Jul 09 '18 at 23:17
  • 2
    I tried to add a service account user to a Team Drive, but got "user@project.iam.gserviceaccount.com is outside of Company. Only people inside Company can access files in this Team Drive." Then I found https://developers.google.com/drive/api/v3/about-auth which has a warning: "service accounts may not acquire additional storage quota, nor do they act as members of a domain." – kielni Apr 02 '19 at 18:11
  • Seems like what they want to do is whenever someone wants to create a file on a shared drive or perform some action, that user needs to provide their authentication details to your application, so that the application gets the same privileges as the user. But this was not my case. The users had access to the application but not to the storage. – Ghukas Apr 02 '19 at 22:45
  • If you are searching, creating or modifying files (or folders) you should read this: https://developers.google.com/drive/api/v3/enable-shareddrives Long story short you need to include the `supportsAllDrives=true` query parameter in your requests when your app performs these types of operations. – ScrapeHeap Oct 18 '20 at 12:55