问题
I have created a server side application in PHP that's supposed to work with Google Spreadsheets.
I'm able to authenticate successfully with OAuth 2.0 authentication, but when requesting the list of the spreadsheets from Google, I only get the spreadsheets shared with the service account by the spreadsheet owner.
Is there a way that service account could retrieve all the spreadsheets owned by my main account not the service one, including those not explicitly shared with the service account?
Also I still want to keep the spreadsheets private so noone can access them without my permission, but I need the service account to have full access to both existing and new spreadsheets.
Any advice is appreciated.
回答1:
You have to change approach:
Create a service account in Drive. You can manage and use this account only with the API (not with the web interface as usually)
With the Drive API you can list, create, update, delete and change the permissions of the files. When you create a new file, you can share it - always with API - to the users you want, make the new file public or change the ownership.
Please take a look: https://developers.google.com/drive/v2/reference/permissions
回答2:
Here is a sample script that uses a service account to read the contents of a Google Spreadsheet's sheet. Have a look at the README for instructions to set it up:
https://github.com/juampynr/google-spreadsheet-reader
回答3:
I am assuming you use Google Apps and not a personal GMail account. You can use your service account to impersonate your main account.
Note that here I am talking of a service account in the way Google means it : a private key (in p12 format) and an identifier. This is not a Google Apps account used for technical purposes. More information here.
This is done by :
- Authorizing your service account on your Google Apps domain
- Modify the code you use to generate the API credentials
The steps are exactly the same for the Spreadsheet API and for the Drive API.
To first authorize your service account to impersonate the domain users, you can follow this documentation. Here are the basic steps. You must be a domain super administrator to perform this task.
- Go to your Google Apps domain’s Admin console : https://admin.google.com
- Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls.
- Select Advanced settings from the list of options.
- Select Manage third party OAuth Client access in the Authentication section.
- In the Client name field enter the service account's Client ID. In the One or More API Scopes field enter the list of scopes that your application should be granted access to. In your case that would be at least the Spreadsheet API scope : https://spreadsheets.google.com/feeds
When this is done, you need to update your code so that it impersonates your main account :
$key = file_get_contents($SERVICE_ACCOUNT_PKCS12_FILE_PATH);
$auth = new Google_AssertionCredentials(
'YOUR_SERVICE_ACCOUNT_EMAIL',
array('https://spreadsheets.google.com/feeds'),
$key);
$auth->sub = 'yourmainaccount@domain.com';
You can then use the $auth
variable to generate the OAuth tokens you need to access the spreadsheet API. I am not sure which client you use for this so the way you inject the access token will depend on which client you use.
Also, note that this token will expire after 1 hour, and then the API will start returning Session Expired
errors. If your client does not handle this automatically, you will need to catch the error and regenerate the token.
来源:https://stackoverflow.com/questions/27067825/how-to-access-google-spreadsheets-with-a-service-account-credentials