Google service account and sheets permissions

Question

I've got a Java backend (spring + google-oauth-client) that should be able to access Google.sheets and parse some data from there.

First I implemented regular "3-legged" OAuth 2.0 authentication on my local backend deploy, it worked fine, but as backend will be deployed in cloud without any browser etc it's not the best option.

So I decided to use service accounts OAuth flow: created google service account and refactored my code to use it instead of AuthCodeFlow, but I saw 403 Forbidden "The caller doesn't have permissions". As I understand service account is not 'me' for google, so I have to give it access to that sheet on 'my' account, but I can't do that because of my company's policy, that forbids to share documents with someone out of our domain, and as service account has @myprject.iam.gserviceaccount.com domain I couldn't give access to it.

Maybe there is a way to workaround that, as this service account was created from my account that has owner access to that sheet? If no, what will be the best approach for server-to-server OAuth in that case (without user involvement)?

p.s. I can try to communicate my helpdesk and ask them if they could add this gserviceaccount.com to white list etc, but it will take pretty much time and also result is not guaranteed..

Thanks!

Answer 1

The only way for a service account to access the sheet is if you share the sheet with the service account email address. You can't change the service account email address this is set by Google.

You can set the sheet to public it will then be able to read it but I have a feeling your company won't like that idea either.

I suggest you go back to your oauth2 option and authenticate it on your machine and copy the refresh token up to the cloud server it should then be able to use that.