A little more than 3 Gallons, maybe we don’t need that well after all.
We overboiled the second batch slightly so it tastes a bit like caramel.
I was never able to find centralized, succinct and example based documentation for doing domain delegated API calls with Google. Hopefully here is exactly this documentation from all the pieces I gathered along the way.
Granting domain delegation to the service account as we just did isn’t enough, we now need to specify the scopes for which the account can request delegated access.
cat ~/Downloads/*.json | grep client_id | cut -d '"' -f4
In the “One or More API Scopes” field use the following scope:
https://www.googleapis.com/auth/drive
If you want to allow more scopes], comma separate them. This interface is very finicky, only enter URLs and don’t copy/paste the description that show up for previous entries. There also might be a few minutes delay between you granting a scope and its taking effect.
Okay! The account is all set up on the Google side of things, let’s write a Python script to use it. Here’s your starting point:
This scripts contains all the functions to get you started with making API calls to Google with Python. It isn’t the simplest form it could be presented in but it solves a few issues right off the bat:
Before running the script, you may need to:
sudo apt-get update && sudo apt-get install python-pycurl
Running the script is done as such:
./google_api_script.py /path/to/json/file/you/downloaded/earlier.json account.to.subas@your.apps.domain
It will simply run the “get about” Drive API call and print the result. This should allow you to verify that the call was indeed executed as the account you specified in the arguments.
Once you’ve ran this script once, the sky is the limit, all the Drive API calls can be added to it based on the get_about function.
Important note on scopes: the same way that you granted domain delegation to certain comma separated scopes in the Google Apps Admin Console earlier; this script needs to reflect the scopes that are being accessed and the same space separated list of scopes need to be part of your jwt claim set (line 78 of the script). So if you need to make calls against more than just drive, make sure to update scopes in both locations or your calls won’t work.
Taking it one step further with the Google Enforcer. This is the project that lead me down the path of writing my own class to handle Google API calls. While it is not quite ready for public use, I’m publishing the project here as it is an excellent reference to making all kinds of other Google API calls; some doing POSTs, PUTs, DELETEs, some implementing paging, et cetera.
Download:
google_drive_permission_enforcer_1.0.tar.gz
The purpose of this project is to enforce on the fly permissions on a directory tree. There is a extravagant amount of gotchas to figure out to do this. If you are interested in implementing it with your organization, please leave a comment and I can either help or get it ready for public use depending on interest.
This project works towards the same end as AODocs, making Google Drive’s permission not completely insane as they are by default.
Here are the scopes I have enabled for domain delegation for this project.
Problems addressed by this project: