0

Locally, I'm able to grant a GAE project access to Drive/Sheets so a Python script accessing Bigquery can access data in Sheets.

I did this by running:

 gcloud auth application-default login --scopes=openid,https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/bigquery

When my code runs in the cloud, I get

google.api_core.exceptions.Forbidden 403 Access Denied: BigQuery BigQuery: Permission denied while getting Drive credentials.

How do I grant the default credentials in Google Cloud access to Drive/Sheets?

Thanks

Justin
  • 3,418
  • 3
  • 27
  • 37

2 Answers2

1

  1. You can use the app_engine module in google.auth. This solution requires you to have enabled bundled API for Python 3 because google.auth.app_engine makes use of app_identity which is a bundled API service. A call is also made to memcache bundled API

  2. Sample code to list files in Google Drive is as follows (I tested this in Production and it works). Part of this code is taken from Google's sample found here

    from googleapiclient.discovery import build
    from googleapiclient.errors import HttpError
    from google.auth import app_engine
        
    # Create the credentials using the scopes you need
    # The call to Credentials optionally accepts a service account. If you
    # don't provide one, the default application service account is used    
    creds = app_engine.Credentials(
               scopes=["https://www.googleapis.com/auth/userinfo.email", 
                  "https://www.googleapis.com/auth/drive"]
            )

        
    try:
        # Create drive api client
        drive_client = build('drive', 'v3', credentials=creds)
        files = []
        
        # Get all the files in the drive that accessible to the service 
        # account   
        response = drive_client.files().list().execute()
        for file in response.get('files', []):
            print(f'Found file: {file.get("name")}, {file.get("id")}')
            files.extend(response.get('files', []))
                
    except HttpError as error:
        print(f'An error occurred: {error}')
        files = None

    return json.dumps(files)
  1. To be able to access data in Google Drive using a service account, you need to have shared that data (file, folder, etc) with the service account. If you don't, then the above code will return an empty list.
NoCommandLine
  • 5,044
  • 2
  • 4
  • 15
  • This is basically correct but note that in order to access Sheets in the way I describe above, you must use a service account, not the default credentials, and you have to **add the service account email as a shared email in the Sheet** – Justin Jun 05 '23 at 19:52
  • @Justin - The sharing is captured in bullet 3 of my response. – NoCommandLine Jun 05 '23 at 20:55
-1

I'm Sneha and I'd be happy to help you out with your question. Sorry for the you had to face.

In your Python script, you need to ensure that the application is using the application default credentials. To do this, use the google.auth library and load the credentials explicitly. Here's an example:

from google.auth import app_engine

# Load application default credentials
credentials = app_engine.Credentials()

# Use the credentials to authorize requests
# Example: Authorize a BigQuery client
from google.cloud import bigquery

client = bigquery.Client(credentials=credentials)

By loading the credentials explicitly, you ensure that the correct default service account and its associated permissions are used.

After making the necessary code changes and ensuring the correct credentials are used, redeploy your GAE application. The updated application should now have the necessary access to Google Drive and Sheets.

Please note that it may take a few minutes for the changes to propagate and the updated access controls to take effect.

For more Information, please refer to following resources :-

  1. Setting up access control | Google App Engine standard environment docs - https://cloud.google.com/appengine/docs/standard/access-control

  2. How Application Default Credentials works | Authentication - https://cloud.google.com/docs/authentication/application-default-credentials

I hope this information helps. If you have any questions, please let me know and be glad to assist you further.

Give back to the Community. Help the next person who has this issue by indicating if this reply solved your problem. Click Like or Dislike below.

Thanks & Regards Sneha Gupta

Sneha Gupta
  • 1
  • 3
  • 3
    The majority of this answer appears likely to have been written by AI (e.g., ChatGPT). If you used an AI tool to assist with any answer, I would encourage you to delete it, as [posting of AI-generated content is banned here](//meta.stackoverflow.com/q/421831). **Readers should review this answer carefully and critically, as AI-generated information often contains fundamental errors and misinformation.** If you observe quality issues and/or have reason to believe that this answer was AI-generated, please leave feedback accordingly. The moderation team can use your help to identify issues. – NotTheDr01ds Jun 02 '23 at 23:18
  • Totally agree, especially because it does not solve the issue and it recommend bad practice (using service account key file) – guillaume blaquiere Jun 03 '23 at 10:47
  • Hi NotTheDr01ds and guillaume blaquiere, guillaume blaquiere is user requirements do not get fulfilled by Service Account Key file I have removed that segment from my Answer. NotTheDr01ds it's not AI generated Answer it's framed by AI which I use in end to proofread, fact check and frame it correctly in the end so that it looks like well framed easy to understand also AI learned from Human so it's not necessary if sequence of words are framed similar to AI means it's work of AI, I too gave time in it to verify and research and proofread. – Sneha Gupta Jun 03 '23 at 16:52
  • Regarding using service account key file I think it depends of use case whether it's bad practice or not as suggested by guillaume blaquiere if it's bad practice I edited my solution this is the reason why I gave documentation links in my answer to refer so that user can consider that documentation before taking any appraoch. Thank you. – Sneha Gupta Jun 03 '23 at 16:57