There are occasions after I’m constructing an utility on GCP after I don’t wish to use a extra conventional datastore like Cloud SQL or Bigtable. Proper now, for instance, I’m constructing an app that permits non-technical people to simply add icons right into a construct system. I’m not going to write down a front-end from scratch, and instructing them supply management, whereas invaluable, isn’t actually one thing I needed to sort out proper now. So a straightforward answer is to make use of Google Drive. Perhaps you by no means considered it as an information retailer…however let’s speak about it right here for a minute. Tremendous easy interface, has rudimentary supply management constructed into it, and it has an API so I can automate pulling the icons from Drive into correct supply management and our construct system for everybody to eat the icons!

Just one drawback…and I’ve a confession to make. I hate OAuth, and on the floor it looks like it’s good to use OAuth so as to use Google Drive’s API. Okay okay, hate might be too sturdy of a phrase. I don’t hate what it does. I acknowledge that it’s massively necessary. I simply don’t like that because it’s not one thing I exploit every single day, I can by no means bear in mind precisely what I must do. I would like which token from the place now? And do I put it in a header? What’s the title of the header? I’m at all times trying up easy methods to implement OAuth accurately every time I’ve to do it.

Now, what IS in my everyday sweetspot? Working with service accounts and IAM inside GCP for authorization. So it seems…if you wish to combine Google Drive performance into your utility that already makes use of GCP providers, you’ll be able to completely use IAM service accounts to do it!

The important thing to this magic is to know that IAM service accounts are additionally customers. And customers have e-mail addresses. In case you have a look at a service account within the listing on the entry web page within the console:

That e-mail deal with is the magic. Simply as you’ll be able to share a Drive folder with an individual, you can too share a Drive folder with an IAM service account. Or a Sheet, or a Doc. No matter it’s you wish to combine into your GCP utility. 

So in my case, I wanted to share the Drive folder the place our advertising and marketing people have been going to place the icons. Let’s stroll by what I did to get it working. I created a service account within the console here. Click on the Create Service Account button up on the high. Give it a reputation, grant it account entry to what roles the appliance wants for the GCP providers you’re utilizing. Drive itself doesn’t really need a particular permission function. So for instance, if the appliance must additionally be capable to write entries right into a Cloud SQL database in addition to entry the Drive content material, you then’d want to offer it the Cloud SQL Shopper function. Solely add the permissions you want. Don’t give blanket “Owner” permissions please.

While you’re completed, click on into the main points of your service account within the listing, and click on “Add Key”


Choose the JSON kind, and it’ll obtain the bearer token for that service account. PLEASE watch out with it. It’s a bearer token, which suggests anybody that has it now has permission to do stuff in your venture primarily based on the permissions you gave the service account. For instance, writing to or studying from the database should you gave it the Cloud SQL Shopper function. For this reason you solely wish to give it the particular roles you need, and never Proprietor degree permissions.

The code, in Python, seems to be like this:

In case you aren’t acquainted, the invention APIs are wrappers on the REST APIs in native languages, like Python. Discovering all of what you are able to do with the API is a bit bit everywhere relying on what you wish to do. place to begin is here, which walks by the fundamentals of Drive APIs, like creating folders and recordsdata, downloading, looking, and many others. For instance, grabbing all of the folders in a Drive folder could be:

That can fetch the primary 100 folders (pageSize is 100 by default, you’ll be able to change it by including one other parameter pageSize=n to the listing name) in our marketing_icon_folder_id, giving us the names and Drive ids of these folders.

In order that’s it. A pleasant fast option to keep away from having to recollect easy methods to arrange OAuth once you wish to use Google Drive as an information retailer with a easy UI, fundamental versioning, and fully-featured APIs in your GCP-integrated utility. Thanks for studying, hopefully it helps! 

In case you’re in search of concepts for issues to create, we’ve quite a few codelabs which may spark some enjoyable concepts here. In case you have questions, otherwise you wish to inform me what cool stuff you’re doing with Drive and GCP, attain out to me on Twitter, my DMs are open.

Related Article

Enforcing least privilege by bulk-applying IAM recommendations

Learn how to identify IAM roles with unnecessary permissions in your Google Cloud organization—and rightsize them automatically.

Read Article

Leave a Reply

Your email address will not be published. Required fields are marked *