I am trying to build Google ads API in python.
I have the token and access but now I need to link accounts to my MCC account.
But the "Link existing accounts" give me full access. I only need read only.
Is there read only "Link existing accounts"?
Thanks,
Tal
No, there's no such option.
However, if your goal is to have read-only API access to a specific account you can still achieve that by adding a user (i.e. Google account) with read-only access to that account and then generating OAuth2 credentials for that user. You do not need to use an manager account / MCC to be able to utilize the Google Ads API.
Related
We are working on a Migration App for Google Drive (Google Workspace) and are relatively new to Google APIs. I read that administrator need to grant domain-wide delegation of authority to third-party and internal applications so that they can access users' data such as read Google Drive files.
Control API access with domain-wide delegation: https://support.google.com/a/answer/162106
For delegating domain-wide authority to service account, a super administrator of the Google Workspace domain must complete 6 steps as described in the documentation link below:
Delegating domain-wide authority to the service account: https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority
As I understand these 6 steps have to be manually performed by Super Admin of the Google Workspace. I would like the super administrator should be able to do these steps easily and quickly. Can this process be automated or guided using some sort of Consent Grant screen in Web Portal.
Instead of using service accounts, can we use OAuth 2.0 Client ID (created within third party app's Google workspace) and consent of Administrator to provide delegated access of their Google Workspace to third party application.
I am asking this because I would need to get list of all users in that Google workspace and have read access to their google Drive files.
Directory API: Authorize Requests" using Admin SDK: https://developers.google.com/admin-sdk/directory/v1/guides/authorizing
Scope for only retrieving users or user aliases: https://www.googleapis.com/auth/admin.directory.user.readonly
Thanks!
I am afraid it is not possible at this moment to manage the domain wide delegation settings through APIs or any different way to automate the process. The Google Workspace Directory API is the only possible way you can use to manage Admin console related settings using the Google APIs, however there is no API method that can make changes like this.
Now, about this:
Instead of using service accounts, can we use OAuth 2.0 Client ID (created within third party app's Google workspace) and consent of Administrator to provide delegated access of their Google Workspace to third party application.
The only possible way is by adding the application to the domain wide delegation settings, but again, only the admin can add the app manually to their Google Workspace admin console.
Since this is a feature that is not available yet, you could submit a feature request in the Directory API to suggest this as an actual feature and maybe Google can make it available in the near future.
Reference:
Admin SDK: Directory API
Feature request
I need to authenticate to an API using OAUTH2, however, it has to be made programmatically, no user typing stuff in a browser is permitted.
This seems like such a simple use case, but I haven't found anything online, the only thing close to it was this post, and the only answer is "yeah, you don't want to use a web browser, but what if you do?"... This doesn't help.
So, please, opening a web browser is not an option, I just want to know if Google provides any way to authenticate purely through code.
Thank you!
In order to achieve your goal, I would like to propose to use the Service account. When the Service account is used, the access token can be retrieved without using the browser.
As the points for using the Service account, please check the following points.
The Service account is not your own Google account.
For example, as one of several situations, if you want to manage a file in your Google Drive using the Service account, please share the file with the Service account. By this, the Service account can access to the file in your Google Drive.
References:
OAuth2ServiceAccount
Several cases using the Service account
Google Drive Access - Service Account or OAuth - To read/write user files
Google service account not being authorized for calendar API
Service Account for google sheets returns not found
I'd like to create programmatically via API a new Account for accessing my Google Cloud Platform.
I'm already doing it for GSUITE (provisioning users via OAUTH), is it possible to do the same also with Google Cloud Platform?
Is it possible to do it for an "non-google" external account maybe with an invitation on the email?
Having already the setup for OAUTH in GSuite, is it possible to use the same token / account to perform also this operations (maybe assigning more scopes)?
Are this API (https://cloud.google.com/iam/docs/granting-changing-revoking-access) the only available?
Updating the IAM policy is indeed the only way to use an API to grant access on a "pure GCP" level.
However, you can give a role in a project to a Google Group (or a few, if you require different access levels), and then simply manage the group using the GSuite Admin SDK.
With the changes to third-party access protection for Google Sheets, calls to the Visualization API now require OAuth credentials unless Spreadsheets are shared to "anyone who has the link can view". (Google Developers Blog Post)(Google Charts Authorization)
Does this still apply to Spreadsheets that are shared to "anyone at domain with the link can view"? If so, how would I get a OAuth credential without prompting the end user for access to their Drive or Spreadsheets? Is it possible to pass a credential using a service account? We do not want to prompt every user that uses the application, since it has been authorized by a Google Apps Administrator and executes using service accounts.
Does this still apply to Spreadsheets that are shared to "anyone at domain with the link can view"?
It is stated in this documentation that:
Google Sheets requires end-user credentials to access private
spreadsheets via the Google Visualization API ("/tq requests")
but Take NOTE that:
Spreadsheets shared to "anyone who has the link can view" do not
require credentials. Changing your spreadsheet's sharing settings is
much easier than implementing authorization.
So if your spreadsheets is shared to "anyone who has the link can view", you are not affected by this update beginning September 14, 2016.
For more information, check this thread.
The "Anyone at domain with the link can view" still requires OAuth credentials, since the application is accessing non-public data. If you are using domain-wide delegation and service account impersonation, you can simply generate an access token in your backend and pass it in the requests to the /tq endpoint.
If you get a user to log in to your website using Google's authentication, then what information can you get about them? Specifically, can you get their Ad Preferences that Google collects?
I do not know of any Google API that reveals the Ad Preferences of a user. You can see your own Ad Preferences with the Ad Preference Manager, but that doesn't have an API to allow authorized people see someone else's preferences.