mirror of
https://github.com/rclone/rclone.git
synced 2025-01-13 20:38:12 +02:00
drive: update docs on creating admin service accounts
This commit is contained in:
parent
3b3625037c
commit
4b922d86d7
@ -213,42 +213,49 @@ credentials file into the rclone config file, you can set
|
|||||||
`service_account_credentials` with the actual contents of the file
|
`service_account_credentials` with the actual contents of the file
|
||||||
instead, or set the equivalent environment variable.
|
instead, or set the equivalent environment variable.
|
||||||
|
|
||||||
#### Use case - Google Apps/G-suite account and individual Drive
|
#### Use case - Google Workspace account and individual Drive
|
||||||
|
|
||||||
Let's say that you are the administrator of a Google Apps (old) or
|
Let's say that you are the administrator of a Google Workspace. The
|
||||||
G-suite account.
|
goal is to read or write data on an individual's Drive account, who IS
|
||||||
The goal is to store data on an individual's Drive account, who IS
|
a member of the domain. We'll call the domain **example.com**, and the
|
||||||
a member of the domain.
|
user **foo@example.com**.
|
||||||
We'll call the domain **example.com**, and the user
|
|
||||||
**foo@example.com**.
|
|
||||||
|
|
||||||
There's a few steps we need to go through to accomplish this:
|
There's a few steps we need to go through to accomplish this:
|
||||||
|
|
||||||
##### 1. Create a service account for example.com
|
##### 1. Create a service account for example.com
|
||||||
|
|
||||||
- To create a service account and obtain its credentials, go to the
|
- To create a service account and obtain its credentials, go to the
|
||||||
[Google Developer Console](https://console.developers.google.com).
|
[Google Developer Console](https://console.developers.google.com).
|
||||||
- You must have a project - create one if you don't.
|
- You must have a project - create one if you don't and make sure you are on the selected project.
|
||||||
- Then go to "IAM & admin" -> "Service Accounts".
|
- Then go to "IAM & admin" -> "Service Accounts".
|
||||||
- Use the "Create Service Account" button. Fill in "Service account name"
|
- Use the "Create Service Account" button. Fill in "Service account name"
|
||||||
and "Service account ID" with something that identifies your client.
|
and "Service account ID" with something that identifies your client.
|
||||||
- Select "Create And Continue". Step 2 and 3 are optional.
|
- Select "Create And Continue". Step 2 and 3 are optional.
|
||||||
- These credentials are what rclone will use for authentication.
|
- Click on the newly created service account
|
||||||
|
- Click "Keys" and then "Add Key" and then "Create new key"
|
||||||
|
- Choose type "JSON" and click create
|
||||||
|
- This will download a small JSON file that rclone will use for authentication.
|
||||||
|
|
||||||
If you ever need to remove access, press the "Delete service
|
If you ever need to remove access, press the "Delete service
|
||||||
account key" button.
|
account key" button.
|
||||||
|
|
||||||
##### 2. Allowing API access to example.com Google Drive
|
##### 2. Allowing API access to example.com Google Drive
|
||||||
- Go to example.com's admin console
|
|
||||||
|
- Go to example.com's [Workspace Admin Console](https://admin.google.com)
|
||||||
- Go into "Security" (or use the search bar)
|
- Go into "Security" (or use the search bar)
|
||||||
- Select "Show more" and then "Advanced settings"
|
- Select "Access and data control" and then "API controls"
|
||||||
- Select "Manage API client access" in the "Authentication" section
|
- Click "Manage domain-wide delegation"
|
||||||
- In the "Client Name" field enter the service account's
|
- Click "Add new"
|
||||||
|
- In the "Client ID" field enter the service account's
|
||||||
"Client ID" - this can be found in the Developer Console under
|
"Client ID" - this can be found in the Developer Console under
|
||||||
"IAM & Admin" -> "Service Accounts", then "View Client ID" for
|
"IAM & Admin" -> "Service Accounts", then "View Client ID" for
|
||||||
the newly created service account.
|
the newly created service account.
|
||||||
It is a ~21 character numerical string.
|
It is a ~21 character numerical string.
|
||||||
- In the next field, "One or More API Scopes", enter
|
- In the next field, "OAuth Scopes", enter
|
||||||
`https://www.googleapis.com/auth/drive`
|
`https://www.googleapis.com/auth/drive`
|
||||||
to grant access to Google Drive specifically.
|
to grant read/write access to Google Drive specifically.
|
||||||
|
You can also use `https://www.googleapis.com/auth/drive.readonly` for read only access.
|
||||||
|
- Click "Authorise"
|
||||||
|
|
||||||
##### 3. Configure rclone, assuming a new install
|
##### 3. Configure rclone, assuming a new install
|
||||||
|
|
||||||
@ -257,17 +264,18 @@ rclone config
|
|||||||
|
|
||||||
n/s/q> n # New
|
n/s/q> n # New
|
||||||
name>gdrive # Gdrive is an example name
|
name>gdrive # Gdrive is an example name
|
||||||
Storage> # Select the number shown for Google Drive
|
Storage> # Type drive
|
||||||
client_id> # Can be left blank
|
client_id> # Can be left blank
|
||||||
client_secret> # Can be left blank
|
client_secret> # Can be left blank
|
||||||
scope> # Select your scope, 1 for example
|
scope> # Select the scope use used in step 2
|
||||||
root_folder_id> # Can be left blank
|
root_folder_id> # Can be left blank
|
||||||
service_account_file> /home/foo/myJSONfile.json # This is where the JSON file goes!
|
service_account_file> /home/foo/myJSONfile.json # Path to the JSON file you downloaded in step 1.
|
||||||
y/n> # Auto config, n
|
y/n> # Auto config, n
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
##### 4. Verify that it's working
|
##### 4. Verify that it's working
|
||||||
|
|
||||||
- `rclone -v --drive-impersonate foo@example.com lsf gdrive:backup`
|
- `rclone -v --drive-impersonate foo@example.com lsf gdrive:backup`
|
||||||
- The arguments do:
|
- The arguments do:
|
||||||
- `-v` - verbose logging
|
- `-v` - verbose logging
|
||||||
@ -278,7 +286,7 @@ the magic, pretending to be user foo.
|
|||||||
the folder named backup.
|
the folder named backup.
|
||||||
|
|
||||||
Note: in case you configured a specific root folder on gdrive and rclone is unable to access the contents of that folder when using `--drive-impersonate`, do this instead:
|
Note: in case you configured a specific root folder on gdrive and rclone is unable to access the contents of that folder when using `--drive-impersonate`, do this instead:
|
||||||
- in the gdrive web interface, share your root folder with the user/email of the new Service Account you created/selected at step #1
|
- in the gdrive web interface, share your root folder with the user/email of the new Service Account you created/selected at step 1
|
||||||
- use rclone without specifying the `--drive-impersonate` option, like this:
|
- use rclone without specifying the `--drive-impersonate` option, like this:
|
||||||
`rclone -v lsf gdrive:backup`
|
`rclone -v lsf gdrive:backup`
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user