1

we want to use default application credentials (python code running in GCP) to perform domain-wide delegation to access Gmail/Drive APIs. The main reason for this is that using default credentials alleviates us from needing to create/manage a gcp service account key (which is very sensitive), whereas code running in GCP (appengine/cloud functions) handles key management for us securely.

We know that Google's professional services have published how to do this for accessing Admin SDK APIs here, however, we're not able to make this work with Gmail/Drive APIs.

Does anyone know if this is technically possible, and if so how?

Michael
  • 1,428
  • 3
  • 15
  • 34

1 Answers1

0

For what I understood from your question you don't want to use a Service Account, but instead some Application Default Credentials (ADC).

Basically, you will always need to use a Service Account, but if you are running your app on Compute Engine, Kubernetes Engine, the App Engine flexible environment, or Cloud Functions, it will not be necessary for you to create it in your own as it is stated HERE.

You will only need to get the credentials needed to your project and then you will able to call the Gmail API as you would normally do:

from google.auth import compute_engine
credentials = compute_engine.Credentials()
alberto vielma
  • 2,302
  • 2
  • 8
  • 15
  • That works for compute engine, have you tried using those credentials for drive or gmail APIs though? They don't work unless the credentials are loaded from a json keyfile, which we are trying to avoid. – Michael Dec 06 '19 at 18:03