github/rclone
1
Fork 0
mirror of https://github.com/rclone/rclone synced 2024-12-25 17:03:45 +01:00
Code Releases Activity

drive: update docs on creating admin service accounts

Browse Source
This commit is contained in:
Nick Craig-Wood 2024-08-12 17:16:25 +01:00
parent 3b3625037c
commit 4b922d86d7
1 changed files with 27 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
docs/content/drive.md
View File

@ -213,42 +213,49 @@ credentials file into the rclone config file, you can set
`service_account_credentials` with the actual contents of the file `service_account_credentials` with the actual contents of the file
instead, or set the equivalent environment variable. instead, or set the equivalent environment variable.
#### Use case - Google Apps/G-suite account and individual Drive #### Use case - Google Workspace account and individual Drive
Let's say that you are the administrator of a Google Apps (old) or Let's say that you are the administrator of a Google Workspace. The
G-suite account. goal is to read or write data on an individual's Drive account, who IS
The goal is to store data on an individual's Drive account, who IS a member of the domain. We'll call the domain **example.com**, and the
a member of the domain. user **foo@example.com**.
We'll call the domain **example.com**, and the user
**foo@example.com**.
There's a few steps we need to go through to accomplish this: There's a few steps we need to go through to accomplish this:
##### 1. Create a service account for example.com ##### 1. Create a service account for example.com
- To create a service account and obtain its credentials, go to the - To create a service account and obtain its credentials, go to the
[Google Developer Console](https://console.developers.google.com). [Google Developer Console](https://console.developers.google.com).
- You must have a project - create one if you don't. - You must have a project - create one if you don't and make sure you are on the selected project.
- Then go to "IAM & admin" -> "Service Accounts". - Then go to "IAM & admin" -> "Service Accounts".
- Use the "Create Service Account" button. Fill in "Service account name" - Use the "Create Service Account" button. Fill in "Service account name"
and "Service account ID" with something that identifies your client. and "Service account ID" with something that identifies your client.
- Select "Create And Continue". Step 2 and 3 are optional. - Select "Create And Continue". Step 2 and 3 are optional.
- These credentials are what rclone will use for authentication. - Click on the newly created service account
- Click "Keys" and then "Add Key" and then "Create new key"
- Choose type "JSON" and click create
- This will download a small JSON file that rclone will use for authentication.
If you ever need to remove access, press the "Delete service If you ever need to remove access, press the "Delete service
account key" button. account key" button.
##### 2. Allowing API access to example.com Google Drive ##### 2. Allowing API access to example.com Google Drive
- Go to example.com's admin console
- Go to example.com's [Workspace Admin Console](https://admin.google.com)
- Go into "Security" (or use the search bar) - Go into "Security" (or use the search bar)
- Select "Show more" and then "Advanced settings" - Select "Access and data control" and then "API controls"
- Select "Manage API client access" in the "Authentication" section - Click "Manage domain-wide delegation"
- In the "Client Name" field enter the service account's - Click "Add new"
- In the "Client ID" field enter the service account's
"Client ID" - this can be found in the Developer Console under "Client ID" - this can be found in the Developer Console under
"IAM & Admin" -> "Service Accounts", then "View Client ID" for "IAM & Admin" -> "Service Accounts", then "View Client ID" for
the newly created service account. the newly created service account.
It is a ~21 character numerical string. It is a ~21 character numerical string.
- In the next field, "One or More API Scopes", enter - In the next field, "OAuth Scopes", enter
`https://www.googleapis.com/auth/drive` `https://www.googleapis.com/auth/drive`
to grant access to Google Drive specifically. to grant read/write access to Google Drive specifically.
You can also use `https://www.googleapis.com/auth/drive.readonly` for read only access.
- Click "Authorise"
##### 3. Configure rclone, assuming a new install ##### 3. Configure rclone, assuming a new install
@ -257,17 +264,18 @@ rclone config
n/s/q> n # New n/s/q> n # New
name>gdrive # Gdrive is an example name name>gdrive # Gdrive is an example name
Storage> # Select the number shown for Google Drive Storage> # Type drive
client_id> # Can be left blank client_id> # Can be left blank
client_secret> # Can be left blank client_secret> # Can be left blank
scope> # Select your scope, 1 for example scope> # Select the scope use used in step 2
root_folder_id> # Can be left blank root_folder_id> # Can be left blank
service_account_file> /home/foo/myJSONfile.json # This is where the JSON file goes! service_account_file> /home/foo/myJSONfile.json # Path to the JSON file you downloaded in step 1.
y/n> # Auto config, n y/n> # Auto config, n
``` ```
##### 4. Verify that it's working ##### 4. Verify that it's working
- `rclone -v --drive-impersonate foo@example.com lsf gdrive:backup` - `rclone -v --drive-impersonate foo@example.com lsf gdrive:backup`
- The arguments do: - The arguments do:
- `-v` - verbose logging - `-v` - verbose logging
@ -278,7 +286,7 @@ the magic, pretending to be user foo.
the folder named backup. the folder named backup.
Note: in case you configured a specific root folder on gdrive and rclone is unable to access the contents of that folder when using `--drive-impersonate`, do this instead: Note: in case you configured a specific root folder on gdrive and rclone is unable to access the contents of that folder when using `--drive-impersonate`, do this instead:
- in the gdrive web interface, share your root folder with the user/email of the new Service Account you created/selected at step #1 - in the gdrive web interface, share your root folder with the user/email of the new Service Account you created/selected at step 1
- use rclone without specifying the `--drive-impersonate` option, like this: - use rclone without specifying the `--drive-impersonate` option, like this:
`rclone -v lsf gdrive:backup` `rclone -v lsf gdrive:backup`