We are using Google Drive API in our Google App Engine application.
This weekend we noticed that it has problems with updating spreadsheet title. We are getting the following error:
HttpError: <HttpError 403 when requesting https://www.googleapis.com/drive/v2/files/1_X51WMK0U12rfPKc2x60E_EuyqtQ8koW-NSRZq7Eqdw?quotaUser=5660071165952000&fields=title&alt=json returned "The authenticated user has not granted the app 593604285024 write access to the file 1_X51WMK0U12rfPKc2x60E_EuyqtQ8koW-NSRZq7Eqdw">
Other calls to Google Drive API succeed. We just have the problem with this one. Also this functionality worked properly for a long time. Is it possible that some update on Google side has broken this?
The minimal code to reproduce the issue is:
class TestDriveUpdate(webapp2.RequestHandler):
def get(self):
credentials = StorageByKeyName(Credentials,
'103005000283606027776',
'credentials').get()
spreadsheet_key = '1_X51WMK0U12rfPKc2x60E_EuyqtQ8koW-NSRZq7Eqdw'
quota_user = '5660071165952000'
body = {"title": 'Test'}
fields = "title"
http = httplib2.Http(timeout=60)
credentials.authorize(http)
gdrive = apiclient.discovery.build('drive', 'v2', http=http)
response = gdrive.files().update(
fileId=spreadsheet_key,
body=body,
fields=fields,
quotaUser=quota_user
).execute()
self.response.write("OK")
Based from this documentation, error occurs when the requesting app is not on the ACL for the file and the user never explicitly opened the file with this Drive app. Found this SO question which states that the scope strings must match exactly between your code and the Admin Console, including trailing slashes, etc. Make sure also that Drive Apps are allowed on the domain ("Allow users to install Google Drive apps").
Related
I am trying to access Google Drive using the Drive API Version 3 (Python). Listing the files seems to work fine. I get insufficient Permission error when I try to upload a file.
I changed My scope to give full permission to my script
SCOPES = 'https://www.googleapis.com/auth/drive'
Below is the block that I use to create the file
file_metadata = {
'name': 'Contents.pdf',
'mimeType': 'application/vnd.google-apps.file'
}
media = MediaFileUpload('Contents.pdf',
mimetype='application/vnd.google-apps.file',
resumable=True)
file = service.files().create(body=file_metadata,
media_body=media,
fields='id').execute()
print ('File ID: %s' % file.get('id'))
I get this error message:
ResumableUploadError: HttpError 403 "Insufficient Permission"
I am not sure what is wrong here.
I think that your script works fine. From the error you show, I thought the requirement of reauthorize of access token and refresh token. So please try a following flow.
When you authorize using client_secret.json, a credential JSON file is created. At the default Quickstart, it is created in .credentials of your home directory.
For your current situation, please delete your current the credential JSON file which is not client_secret.json, and reauthorize by launching your script. The default file name of Quickstart is drive-python-quickstart.json.
By this, scope of https://www.googleapis.com/auth/drive is reflected to access token and refresh token, and they are used for uploading process. When the error occurs even if this flow is done, please confirm whether Drive API is enabled at API console, again.
If this was not useful for you, I'm sorry.
Maybe you already have a file with the same name there?
I'm trying to setup endpoints api (with google app engine, python), but I'm having some trouble getting user profile info. API is working, I can create entities through API Explorer on my localhost.
My goal is to allow user to register for my app by providing just an email, and authorizing the app to get the reset of the info from their profile. I have this endpoints method:
#User.method(http_method="POST",
auth_level=endpoints.AUTH_LEVEL.REQUIRED,
allowed_client_ids=[
endpoints.API_EXPLORER_CLIENT_ID
],
scopes=[
'https://www.googleapis.com/auth/userinfo.email',
'https://www.googleapis.com/auth/userinfo.profile',
'https://www.googleapis.com/auth/plus.me',
],
user_required=True,
request_fields=('email',),
response_fields=('id',),
name="register",
path="users")
def UserRegister(self, instance):
logging.info(os.getenv( 'HTTP_AUTHORIZATION' ))
# 'Beared __TOKEN__'
logging.info(endpoints.users_id_token._get_token(None))
# '__TOKEN__'
instance.put()
return instance
This works fine, I receive authorization token and user is created in datastore, but I can't figure out how to get the profile info. If I enter the token in OAuth2 API (through API Explorer):
POST https://www.googleapis.com/oauth2/v2/tokeninfo?access_token=__TOKEN__
I get token info with some data I need { "user_id": "__ID__", "verified_email": true, ...}, and if I use user_id in +API:
GET https://www.googleapis.com/plus/v1/people/__ID__
I can get the rest of the data I need (name, image, etc).
What do I need to do to achieve this in my UserRegister() method? I'd prefer to return just entity ID and do the rest of registration asynchronously, but that's another issue, I'll figure it out (; Just need some guidance how to call other endpoints from my code...
EDIT:
I've managed to figure out how to call other APIs (code on Gist), now only have one issue with Plus API:
I did some queries and eventually got anonymous quota error. Then I added key parameter and set it to WEB_CLIENT_ID or SERVICE_ACCOUNT:
WEB_CLIENT_ID is OAuth2 Client ID (type: Web Application) from console.developers.google.com/apis/credentials,
SERVICE_ACCOUNT is default App Engine service account - MY_APP#appspot.gserviceaccount.com...
and now I'm getting following error:
HttpError: <HttpError 400 when requesting https://www.googleapis.com/plus/v1/people/__VALID_USER_ID__?key=__WEB_CLIENT_ID__or__SERVICE_ACCOUNT__&alt=json returned "Bad Request">
When I use +API explorer I get results as expected:
REQUEST:
https://www.googleapis.com/plus/v1/people/__VALID_USER_ID__?key={YOUR_API_KEY}
RESPONSE:
200 OK + json data for user...
Anyone knows why is this happening?
Why am I getting BadRequest response?
Problem with BadRequest was that I didn't send authorization token... I did try to send it as access_token, but seams like +api docs are outdated - it should be oauth_token. When I included this parameter issue was resolved:
build('plus', 'v1').people().get(userId=user_id, key=SERVICE_ACCOUNT, oauth_token=token).execute()
HINT: Use http://localhost:8001/_ah/api/discovery/v1/apis/, and discoveryRestUrl property it has to see real properties of your API - this is where I found the answer.
oauth_token can be obtained like this:
token = os.getenv('HTTP_AUTHORIZATION').split(" ")[1]
# or like in my question:
token = endpoints.users_id_token._get_token(None)
I'd suggest HTTP_AUTHORIZATION variable, because users_id_token docs state that it's a:
Utility library for reading user information from an id_token.
This is an experimental library that can temporarily be used to extract
a user from an id_token. The functionality provided by this library
will be provided elsewhere in the future.
How to call other API Endpoints?
This is also an answer to my first question:
from googleapiclient.discovery import build
service = build('plus', 'v1')
request = service.people().get(userId=user_id, key=SERVICE_ACCOUNT, oauth_token=token)
response = request.execute()
data = dict(self.response.POST)
Code that worked for me is here.
NOTE: WEB_CLIENT_ID obtained from https://console.developers.google.com/apis/credentials (OAuth2 Client ID of type Web Application) will NOT work in this case. I had to use SERVICE_ACCOUNT - I didn't try to generate one through console, default service account I got from App Engine worked fine.
...things are much clearer now that I got this working. Hope it will help someone else (;
My GAE app is trying to manipulate files stored on Google Cloud Storage.
The files are stored in the default bucket for my app. I already managed to read/write files to that bucket using the GCS Python Client Library (https://developers.google.com/appengine/docs/python/googlecloudstorageclient/).
Unfortunately it does not support copy. Instead, I'm trying the JSON API with the API Client Library (https://google-api-client-libraries.appspot.com/documentation/storage/v1/python/latest/storage_v1.objects.html) and service account (https://developers.google.com/api-client-library/python/guide/google_app_engine#ServiceAccounts)
So far I'm getting an error 403 when requesting the cloud storage url.
Here's the code:
credentials = AppAssertionCredentials(scope='https://www.googleapis.com/auth/devstorage.read_write')
http = credentials.authorize(httplib2.Http(memcache))
service = discovery.build('storage', 'v1', http=http, developerKey='api_key_generated_from_the_dev_console')
bucket_name = app_identity.get_default_gcs_bucket_name()
# I'm planning to batch multiple requests, although there is just one in this example
batch = BatchHttpRequest()
# process_list_response outputs the exception if any
batch.add(service.objects().list(bucket=bucket_name), callback=process_list_response)
batch.execute(http=http)
Here's the log:
URL being requested:
https://www.googleapis.com/discovery/v1/apis/storage/v1/rest?userIp=x.x.x.x
Attempting refresh to obtain initial access_token
URL being requested:
https://www.googleapis.com/storage/v1/b/xxx.appspot.com/o?alt=json
HttpError 403 when requesting
https://www.googleapis.com/storage/v1/b/xxx-dev.appspot.com/o?alt=json
returned "Access Not Configured. Please use Google Developers Console
to activate the API for your project."
Here's what I've done in the dev console:
Google Cloud Storage and Google Cloud Storage JSON API are switched
to ON.
I created an API key which I use to build the service (is it necessary since I also use Oauth?)
Under Permissions, I added a member for my app with the email xxx#appspot.gserviceaccount.com
How can I make this work?
Posting this as an answer as it seems that my edit (we work together) was silently rejected, and a comment is too limited. This is not an answer but that is expanding the question.
Simpler example with a single http request. It seems that the JSON API is simply not working outside the API explorer. The XML/REST API works and returns a list of files in the bucket.
credentials = AppAssertionCredentials(scope='https://www.googleapis.com/auth/devstorage.read_write')
http = credentials.authorize(httplib2.Http(memcache))
bucket_name = app_identity.get_default_gcs_bucket_name()
# This works (200 with list of files in the content)
request_url = 'http://commondatastorage.googleapis.com/' + bucket_name
response, content = http.request(request_url, method="GET")
# This doesn't work (403, Access not configured)
request_url = 'https://www.googleapis.com/storage/v1/b/' + bucket_name + '/o?alt=json'
response, content = http.request(request_url, method="GET")
# This doesn't work (403, Access not configured), the key and project id header seem useless.
request_url = 'https://www.googleapis.com/storage/v1/b/' + bucket_name + '/o?alt=json&key=' + API_KEY
response, content = http.request(request_url, method="GET", headers={'x-goog-project-id': PROJECT_ID})
Also, looking at the code of AppAssertionCredentials, we can see:
kwargs: optional keyword args, including:
service_account_id: service account id of the application. If None or
unspecified, the default service account for the app is used.
self.service_account_id = kwargs.get('service_account_id', None)
Passing anything as service_account_id argument results in an exception:
Traceback (most recent call last):
File "/base/data/home/apps/.../1.37.../backup.py", line 61, in get
response, content = http.request(request_url, method="GET")
File "/base/data/home/apps/.../1.377.../oauth2client/util.py", line 132, in positional_wrapper
return wrapped(*args, **kwargs)
File "/base/data/home/apps/.../1.37.../oauth2client/client.py", line 491, in new_request
self._refresh(request_orig)
File "/base/data/home/apps/.../1.37.../oauth2client/appengine.py", line 197, in _refresh
raise AccessTokenRefreshError(str(e))
AccessTokenRefreshError
I have tested to pass the value returned by app_identity.get_service_account_name(), that doesn't work. (even though the documentation says it will use "the default service account for the app" if it is not set).
I have tested to pass the service account email found in the developer console that has the form: 3....-v0....#developer.gserviceaccount.com. Same token exception.
So, why are we getting a 403 Access not configured when the Cloudstorage JSON API is clearly enabled under our api/services?
And why is passing a service_account_id to AppAssertionCredentials failing with a AccessTokenRefreshError?
Edit:
The solution was ridiculous: turn OFF the Google Cloud Storage API, and turn it back ON.
I assume that the app was a "legacy" app, and doing so made the last bullet point 12 work here: https://developers.google.com/appengine/docs/python/googlecloudstorageclient/activate
I created service account for my account name#steelkiwi.com(Google apps) and my application works fine. Then I created service account for my personal account name#gmail.com, use this new credentials for my application and now when I try to insert files I get error 500 with next text:
HttpError 500 when requesting https://www.googleapis.com/upload/drive/v2/files?quotaUser=30&uploadType=resumable&convert=true&ocr=false&alt=json returned "Internal Error"
The only thing that changes is credentials SERVICE_ACCOUNT_EMAIL and SERVICE_ACCOUNT_PKCS12_FILE_PATH. I have tried to create another service account for name#steelkiwi.com but it doesn't help, so bacically my app only works with first service account.
Language is python.
If you create a service account with your apps domain admin, you should be able to impersonate all users by changing the prn attribute below. If you don't set a prn user that is out of your domain, you should see an access error.
f = open('path-to-privatekey.p12')
key = f.read()
f.close()
credentials = SignedJwtAssertionCredentials('xxx#developer.gserviceaccount.com', key, scope='https://www.googleapis.com/auth/drive', prn='user#steelkiwi.com')
http = httplib2.Http()
credentials.authorize(http)
client = build('drive', 'v2', http=http)
Ok, I'm not sure what happened maybe something was fixed after this accident http://www.google.com/appsstatus#hl=en&v=issue&ts=1366405199000&iid=369723584758ad9cdfd010ac44c8272e
but now all works fine. At first I created simple small app from examples that work with service accounts https://gist.github.com/mobedigg/5420958 I have used my credentials for this app and it's works so I put this credentials to my main code and it's worked too. Nothing was changed in main code except credentials. Also I tried other credentials on this small app and they are worked with it and worked with main code. It's very odd.
I have an existing Google App Engine Python app with a lot of functionality. I now want to integrate Google Drive into the app. Specifically I want my app to be able to:
Create an empty file in my user's Google Drive where my user can create a Google Doc.
Retrieve that file from Google Drive for further processing in my app.
Send it back to Google Drive periodically so that the user can perform further editing on it as a Google Doc.
I'd be eternally grateful if someone who knows how to do what I'm trying to do can direct me to the SPECIFIC Google webpage(s) that address my SPECIFIC requirement (not a general answer like, "See the DrEdit example"). Thanks in advance!
Update:
Based on the generated sample code in drive-v2-python-appengine per the suggestion in Answer 1, here's my program with a RequestHandler for creating an empty file:
import os
import webapp2
import io
from google.appengine.api import memcache
import httplib2
from apiclient.discovery import build
from apiclient.http import MediaIoBaseUpload
from oauth2client.appengine import oauth2decorator_from_clientsecrets
decorator = oauth2decorator_from_clientsecrets(
os.path.join(os.path.dirname(__file__), 'client_secrets.json'),
scope=[
'https://www.googleapis.com/auth/drive',
])
http = httplib2.Http(memcache)
drive_service = build("drive", "v2", http=http)
class CreateEmptyFile(webapp2.RequestHandler):
#decorator.oauth_required
def get(self):
body = {
'title': 'Sample Document',
'description': 'A sample document',
'mimeType': 'text/plain'
}
media_body = MediaIoBaseUpload(io.BytesIO(""), mimetype='text/plain', resumable=True)
file = drive_service.files().insert(body=body, media_body=media_body).execute()
self.redirect("/synopsis")
Testing is somewhat confusing, because occasionally when I've run this, including the first time, it's brought up the access request page, but most of the time it doesn't. I've used https://accounts.google.com/b/0/IssuedAuthSubTokens?hl=en to revoke access to Drive and Drive no longer shows up on the list, but I guess a time delay of an hour or more exists for carrying out the access revocation. Not sure about that, and haven't seen it documented.
In any case, if I comment-out the call to drive_service.files().insert(), it does not abort, and redirects to my synopsis page. I believe this means the authorization is working correctly, since that makes it like the generated sample code.
However, if I un-comment the insert and use resumable=True for the media body, I get:
ResumableUploadError: Failed to retrieve starting URI.
And if I use resumable=False, I get:
HttpError: <HttpError 401 when requesting https://www.googleapis.com/upload/drive/v2/files?uploadType=multipart&alt=json returned "Login Required">
So I seem to be able to get thru the OAuth 2.0 authorization, but cannot insert a file.
Please try our quickstart app at:
https://developers.google.com/api-client-library/python/start/installation
You can create a quickstart app engine app, which is useful for you to create the initial setup. For specific use-cases, please refer to the drive API reference.