Access Google Drive API from a Google Cloud function

Question

I\'ve seen that there are different NodeJS modules that use Google APIs. What\'s the best practice to access files that are shared with the service account of a Google Cloud fun

Answer 1

The default behavior is as follows:

During function execution, Cloud Functions uses the service account PROJECT_ID@appspot.gserviceaccount.com as its identity. For instance, when making requests to Google Cloud Platform services using the Google Cloud Client Libraries, Cloud Functions can automatically obtain and use tokens to authorize to the services this identity has permissions to use.

More information here.

---

Personal recommendation: it's good practice to use a purpose-specific service account which you'll need to securely store & not push into your version control -- meaning you can download and include it in your gcloud functions deploy scripts (so it'll be readable to the nodeJS runtime along with your package.json and actual function files) -- but always have it git-ignored.

If you want to be super secure, you can combine this approach with another google cloud product called Secret Manager. The nodeJS implementation of which is here. The disadvantage of this, though, is the amount of time between the function start-up and the deciphering of the encrypted JSON (since it's a network operation itself.)

---

There is one more important thing to know -- the drive API token -- already answered here: https://stackoverflow.com/a/58842310/8160318.