I'd like to create programmatically via API a new Account for accessing my Google Cloud Platform.
I'm already doing it for GSUITE (provisioning users via OAUTH), is it possible to do the same also with Google Cloud Platform?
Is it possible to do it for an "non-google" external account maybe with an invitation on the email?
Having already the setup for OAUTH in GSuite, is it possible to use the same token / account to perform also this operations (maybe assigning more scopes)?
Are this API (https://cloud.google.com/iam/docs/granting-changing-revoking-access) the only available?
Updating the IAM policy is indeed the only way to use an API to grant access on a "pure GCP" level.
However, you can give a role in a project to a Google Group (or a few, if you require different access levels), and then simply manage the group using the GSuite Admin SDK.
Related
We are working on a Migration App for Google Drive (Google Workspace) and are relatively new to Google APIs. I read that administrator need to grant domain-wide delegation of authority to third-party and internal applications so that they can access users' data such as read Google Drive files.
Control API access with domain-wide delegation: https://support.google.com/a/answer/162106
For delegating domain-wide authority to service account, a super administrator of the Google Workspace domain must complete 6 steps as described in the documentation link below:
Delegating domain-wide authority to the service account: https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority
As I understand these 6 steps have to be manually performed by Super Admin of the Google Workspace. I would like the super administrator should be able to do these steps easily and quickly. Can this process be automated or guided using some sort of Consent Grant screen in Web Portal.
Instead of using service accounts, can we use OAuth 2.0 Client ID (created within third party app's Google workspace) and consent of Administrator to provide delegated access of their Google Workspace to third party application.
I am asking this because I would need to get list of all users in that Google workspace and have read access to their google Drive files.
Directory API: Authorize Requests" using Admin SDK: https://developers.google.com/admin-sdk/directory/v1/guides/authorizing
Scope for only retrieving users or user aliases: https://www.googleapis.com/auth/admin.directory.user.readonly
Thanks!
I am afraid it is not possible at this moment to manage the domain wide delegation settings through APIs or any different way to automate the process. The Google Workspace Directory API is the only possible way you can use to manage Admin console related settings using the Google APIs, however there is no API method that can make changes like this.
Now, about this:
Instead of using service accounts, can we use OAuth 2.0 Client ID (created within third party app's Google workspace) and consent of Administrator to provide delegated access of their Google Workspace to third party application.
The only possible way is by adding the application to the domain wide delegation settings, but again, only the admin can add the app manually to their Google Workspace admin console.
Since this is a feature that is not available yet, you could submit a feature request in the Directory API to suggest this as an actual feature and maybe Google can make it available in the near future.
Reference:
Admin SDK: Directory API
Feature request
I am trying to build Google ads API in python.
I have the token and access but now I need to link accounts to my MCC account.
But the "Link existing accounts" give me full access. I only need read only.
Is there read only "Link existing accounts"?
Thanks,
Tal
No, there's no such option.
However, if your goal is to have read-only API access to a specific account you can still achieve that by adding a user (i.e. Google account) with read-only access to that account and then generating OAuth2 credentials for that user. You do not need to use an manager account / MCC to be able to utilize the Google Ads API.
Struggling to get a difinitive answer on this so would appreciate any help.
We have a Python Script that pulls data from a piece of hardware and uploads it to a Google Sheet using the drive / sheets api.
We also have a global policy in the top level OU to Restricts sharing outside of the organisation.
If you create a seperate OU in GAdmin console where external sharing is allowed and move the Account assosiated the with Gdrive / Gsheets to this OU, everything works. You share the sheet with the service account as part of the process.
This also means however the owner of the account can share other data using the account. We'd like to lock down the account , but I'm not sure it's possible as you can't whitelist service accounts, only other Gsuite domains.
There is also a point discussed about using the option to grant the service account "delegating domain-wide authority to the service account for a particular API scope (i.e. Drive) -" but from a security point of view that option that doesn't seem optimum either.
Is there any other way to achieve the access where by you can restrict sharing only with the service account and organisation accounts.
The below describes the process:
https://towardsdatascience.com/accessing-google-spreadsheet-data-using-python-90a5bc214fd2
Similar question previously.
Whitelisting Service Account for Google Drive Document Access
I am creating a Ruby application that needs to access dozens (maybe hundreds) of different Google Analytics accounts, query each account, and then generate a report based on the results. I know I can achieve this using Googles API client ( http://code.google.com/p/google-api-ruby-client/ ) and Oauth, but that would require manually generating a set of keys and credentials for each analytics account which is not really feasible. I'm wondering if there is another way to access google analytics (perhaps using the API Keys?) that bypasses the need to generate credentials manually.
After quite a bit of tinkering, I've finally stumbled upon a solution to my particular problem. As it turns out, I don't need to create a separate Developer account for each Analytics account I want to access. I can simply create a single Developer account, and then add that Developer accounts' email address to the set of users that are able to access the Analytics account. This will allow me to access multiple Analytics accounts using the same Developer account.
Yes, it will still require quite a bit of work adding the Developer email account to hundreds of Google Analytics accounts, but it pales in comparison to creating a separate set of Developer credentials for each Analytics account.
I have created a project with Google Big Query.
I have one table with data. A service performs insert every hour in the table. The service uses a service account with a p12 file to authenticate without user interaction.
I have developped also a desktop application which authenticate via the browser (OAuth2Authenticator). It works well but eveyone who have a google account can login and accept to use my application, and I don't want that !
Is it possible to specify a list of authorized google accounts for a google big query project ?
Thanks,
Luc.
Yes, you can control who has access to your BigQuery datasets, as well as who is a member of the Google Developer Project that your BigQuery datasets are attached to.
If you are creating a Desktop application, the best way to provide authorization to BigQuery for specific users of a restricted dataset is to use an "installed application" Oauth2 flow. Are you currently using this flow?