drive: update docs on creating admin service accounts

This commit is contained in:
Nick Craig-Wood 2024-08-12 17:16:25 +01:00
parent 3b3625037c
commit 4b922d86d7

View file

@ -213,42 +213,49 @@ credentials file into the rclone config file, you can set
`service_account_credentials` with the actual contents of the file
instead, or set the equivalent environment variable.
#### Use case - Google Apps/G-suite account and individual Drive
#### Use case - Google Workspace account and individual Drive
Let's say that you are the administrator of a Google Apps (old) or
G-suite account.
The goal is to store data on an individual's Drive account, who IS
a member of the domain.
We'll call the domain **example.com**, and the user
**foo@example.com**.
Let's say that you are the administrator of a Google Workspace. The
goal is to read or write data on an individual's Drive account, who IS
a member of the domain. We'll call the domain **example.com**, and the
user **foo@example.com**.
There's a few steps we need to go through to accomplish this:
##### 1. Create a service account for example.com
- To create a service account and obtain its credentials, go to the
[Google Developer Console](https://console.developers.google.com).
- You must have a project - create one if you don't.
- You must have a project - create one if you don't and make sure you are on the selected project.
- Then go to "IAM & admin" -> "Service Accounts".
- Use the "Create Service Account" button. Fill in "Service account name"
and "Service account ID" with something that identifies your client.
- Select "Create And Continue". Step 2 and 3 are optional.
- These credentials are what rclone will use for authentication.
- Click on the newly created service account
- Click "Keys" and then "Add Key" and then "Create new key"
- Choose type "JSON" and click create
- This will download a small JSON file that rclone will use for authentication.
If you ever need to remove access, press the "Delete service
account key" button.
##### 2. Allowing API access to example.com Google Drive
- Go to example.com's admin console
- Go to example.com's [Workspace Admin Console](https://admin.google.com)
- Go into "Security" (or use the search bar)
- Select "Show more" and then "Advanced settings"
- Select "Manage API client access" in the "Authentication" section
- In the "Client Name" field enter the service account's
- Select "Access and data control" and then "API controls"
- Click "Manage domain-wide delegation"
- Click "Add new"
- In the "Client ID" field enter the service account's
"Client ID" - this can be found in the Developer Console under
"IAM & Admin" -> "Service Accounts", then "View Client ID" for
the newly created service account.
It is a ~21 character numerical string.
- In the next field, "One or More API Scopes", enter
- In the next field, "OAuth Scopes", enter
`https://www.googleapis.com/auth/drive`
to grant access to Google Drive specifically.
to grant read/write access to Google Drive specifically.
You can also use `https://www.googleapis.com/auth/drive.readonly` for read only access.
- Click "Authorise"
##### 3. Configure rclone, assuming a new install
@ -257,17 +264,18 @@ rclone config
n/s/q> n # New
name>gdrive # Gdrive is an example name
Storage> # Select the number shown for Google Drive
Storage> # Type drive
client_id> # Can be left blank
client_secret> # Can be left blank
scope> # Select your scope, 1 for example
scope> # Select the scope use used in step 2
root_folder_id> # Can be left blank
service_account_file> /home/foo/myJSONfile.json # This is where the JSON file goes!
service_account_file> /home/foo/myJSONfile.json # Path to the JSON file you downloaded in step 1.
y/n> # Auto config, n
```
##### 4. Verify that it's working
- `rclone -v --drive-impersonate foo@example.com lsf gdrive:backup`
- The arguments do:
- `-v` - verbose logging
@ -278,7 +286,7 @@ the magic, pretending to be user foo.
the folder named backup.
Note: in case you configured a specific root folder on gdrive and rclone is unable to access the contents of that folder when using `--drive-impersonate`, do this instead:
- in the gdrive web interface, share your root folder with the user/email of the new Service Account you created/selected at step #1
- in the gdrive web interface, share your root folder with the user/email of the new Service Account you created/selected at step 1
- use rclone without specifying the `--drive-impersonate` option, like this:
`rclone -v lsf gdrive:backup`