(who wrote the blog post) is a great guy and has lots of very informative answers on SO also! Here is a blog about using service account impersonation, including the benefits of doing this. One method for making the authentication from development environments easy is to use Service Account impersonation. Which all give a myriad of errors/issues we can’t get past when trying to do authentication to Google Drive API :( , credentials._client_id, credentials._client_secret) Then we tried all kinds of solutions like: credentials, project_id = (scopes=)Īnd credentials, project_id = ()Ĭredentials = google_auth_oauthlib.get_user_credentials(
However this doesn't work for Google APIs outside of GCP, like Google Drive API service = build('sheets', 'v4') which fails with this error: “Request had insufficient authentication scopes.”. Usually we use gcloud auth application-default login to create default application credentials that the Google client libraries use which “just work”, such as for Google Storage. locally on our developers' laptops? Again, without downloading any JSON keys, and preferably with the most “just works” approach possible? However, how do we do this for development, i.e. Range=RANGE_NAME, majorDimension="COLUMNS" You can do this like so from googleapiclient.discovery import build not explicitly specifying credentials to use in code and letting the client libraries “just work” - this works great as long as one ensures that the VM is created with the correct scopes, and the default compute Service Account email is given permission to the Sheet that needs to be accessed - this is explained in the docs here. SERVICE_ACCOUNT_FILE = '/path/to/service.json'Ĭredentials = service_service_account_file(īut we can't (or just don't want to) download our Service Account JSON keys, so we're stuck if we just follow the docs.įor the Google Compute Engine environment we have been able to authenticate by using GCP Application Default Credentials (ADCs) - i.e. They often use code like this: from google.oauth2 import service_account Or Google APIs/Developers docs say to create an OAuth2 Client ID and download it’s key like here.
Seemingly all of the docs from GCP say to simply download the JSON key for a Service Account and use that. Our company is quite strict about credentials and does not allow the downloading of Service Account credential JSON keys (this is better practice and provides higher security).
There are two different places where we need to run code that makes API calls to Google Drive: within production in Google Compute Engine, and within development environments i.e. Our company is working on processing data from Google Sheets (within Google Drive) from Google Cloud Platform and we are having some problems with the authentication.
0 kommentar(er)
