84305

Google APPs managed “unlimited” account storage quota for service account

Question:

I have a Google account as a student. This account is managed by my university and recently the university informed us that students' accounts have now "unlimited" storage for Drive etc.

To perform backups with this, I created a few service accounts in Google APIs console (XXX@developer.gserviceaccount.com). But it turns out that those accounts' storage is limited to 15GB, that is, when trying to upload files to one of service accounts that already has ~15GB in it, I get an error "the client is exceeded his storage quota".

I asked the university admins, they don't know how to help and even don't see the service account' email (XXX@developer.gserviceaccount.com) in the list of managed accounts.

So the question is what should be done (by me or by university admins) to remove (or increase) the storage quota of my service accounts when those were open with the "unlimited" student account.

<strong>Update: trying @DaImTo suggestion:</strong>

So I created a folder in my Drive web interface and shared it with my service account. Then, with service account, I uploaded a file to that folder (using <a href="https://pypi.python.org/pypi/PyDrive" rel="nofollow">PyDrive</a> library):

file1 = drive.CreateFile({'title': 'test2', 'parents': [{"kind": "drive#fileLink", "id": shared_folder_id}]}) file1.SetContentString('some text') file1.Upload() print 'File ID: %s' % file1['id'] permissions = file1.auth.service.permissions().list(fileId=file1['id']).execute() print "permissions:", permissions

Output:

File ID: XXX permissions: {u'items': [{u'kind': u'drive#permission', u'name': u'XXX@developer.gserviceaccount.com', u'domain': u'developer.gserviceaccount.com', u'etag': u'"XXX"', u'emailAddress': u'XXX@developer.gserviceaccount.com', u'role': u'owner', u'type': u'user', u'id': u'XXX', u'selfLink': u'https://www.googleapis.com/drive/v2/files/XXX/permissions/XXX'}, {u'kind': u'drive#permission', u'name': u'<my name>', u'domain': u'<my school domain>', u'etag': u'"XXX"', u'emailAddress': u'<my name>@<my school domain>', u'role': u'writer', u'type': u'user', u'id': u'XXX', u'selfLink': u'https://www.googleapis.com/drive/v2/files/XXX/permissions/XXX'}], u'kind': u'drive#permissionList', u'etag': u'"XXX"', u'selfLink': u'https://www.googleapis.com/drive/v2/files/XXX/permissions?alt=json'}

So the uploaded file automatically has two permissions: 1. Service account is "owner" 2. My main account is "writer"

Indeed, I can see the file in web interface, edit it , delete etc. But, since the service account is the owner, the file is accounted in service account storage quota, so this doesn't solve my problem, i.e. I still cannot use more than 15GB with my backup application.

I tried to transfer the ownership to my main account:

file1 = drive.CreateFile({'id': file_id}) permissions = file1.auth.service.permissions().list(fileId=file1['id']).execute() myperm_id = permissions['items'][1]['id'] # this is the second permission, i.e. of my main account myperm = file1.auth.service.permissions().get(fileId=file1['id'], permissionId=myperm_id).execute() myperm['role'] = 'owner' file1.auth.service.permissions().update(fileId=file1['id'], permissionId=myperm['id'], body=myperm).execute()

...and got an error:

googleapiclient.errors.HttpError: <HttpError 403 when requesting https://www.googleapis.com/drive/v2/files/XXX/permissions/XXX?alt=json returned "Insufficient permissions for this file">

I tried to append transferOwnership='True':

file1.auth.service.permissions().update(fileId=file1['id'], permissionId=myperm['id'], body=myperm, transferOwnership='True').execute()

got the same error. I'm stuck here.

Btw, in Google help <a href="https://support.google.com/drive/answer/2494892?hl=en" rel="nofollow">Transfer file ownership</a> they say "If you're a Google Apps user, you can't transfer ownership to someone else who is outside of your domain."

Answer1:

A service account is <strong>not</strong> you. Think of a service account as a dummy Google user, it has its own Google drive account, Google calendar account ...

It is probably loosely related to the developers who have access to it in the Google developer console, if the application using the service account starts to spam Google drive the developer console account will be shut down. But beyond that you and any service accounts you create are separate entity's. It doesn't have access to your unlimited drive account until you give it access to your unlimited drive account. (wish I had an unlimited drive account)

Now it is an entity, but I am not all that sure the school could give it access. Really I am not sure I would want to it would remove one part of the control of the service account from me. Some school admin could just remove it one day and break everything .....

What I suggest you do is this, give the service account access to <strong>your</strong> Google account. Open Google drive the web version. I suggest you create a new directory. In the sharing permissions take the service accounts email address and give it full access to that directory. It should then be able to upload to the directory of your amazing unlimited drive account.

Update Just thought of something: You are probably going to have to check what directories it has access to once you give it access to your drive directory. You will need to be sure it uploads to the drive you shared and not its root directory.

<strong>update Permissions:</strong>

You are probably using <a href="https://developers.google.com/drive/v2/reference/files/insert" rel="nofollow">file.insert</a> to upload the file. that is just the first step.

Once you have the file uploaded you will need to patch it, and change the permissions grating you as in you personally not the service account access to the file. When the file is uploaded its still <strong>OWNED</strong> by the service account.

You will need to use <a href="https://developers.google.com/drive/v2/reference/files/patch" rel="nofollow">Files: patch</a> to update the permissions on the file and granting you as in you not the service account access to the file.

Unfortunately its not possible (at this time) to set the permissions of the file when its uploaded. I am not sure if this is a bug or its just not supported i created an issue request on this a few days ago. <a href="https://code.google.com/a/google.com/p/apps-api-issues/issues/list?q=API%3DDrive" rel="nofollow">Issue 3717: Google drive api, upload file with shared permission</a>

Answer2:

It seems that it's impossible to transfer the ownership of the files uploaded by service account to the main account.

Finally I abandoned the service account approach and followed <a href="https://stackoverflow.com/questions/19766912/how-do-i-authorise-a-background-web-app-without-user-intervention-canonical" rel="nofollow">this</a> approach to run my app as my regular user.

Once the steps described there were accomplished, I create the drive service like that:

import httplib2 from pydrive.auth import GoogleAuth from pydrive.drive import GoogleDrive gauth = GoogleAuth() gauth.LoadCredentialsFile("GoogleDriveCredentials.txt") if gauth.credentials is None: gauth.LocalWebserverAuth() elif gauth.access_token_expired: print "Google Drive Token Expired, Refreshing" gauth.Refresh() else: gauth.Authorize() gauth.SaveCredentialsFile("GoogleDriveCredentials.txt") drive = GoogleDrive(gauth)

Where GoogleDriveCredentials.txt is of the form:

{"_module": "oauth2client.client", "token_expiry": "XXX", "access_token": "XXX", "token_uri": "https://accounts.google.com/o/oauth2/token", "invalid": false, "token_response": {"access_token": "XXX", "token_type": "Bearer", "expires_in": 3600}, "client_id": "XXX.apps.googleusercontent.com", "id_token": null, "client_secret": "XXX", "revoke_uri": "https://accounts.google.com/o/oauth2/revoke", "_class": "OAuth2Credentials", "refresh_token": "XXX", "user_agent": null}

Now the uploaded files' owner is "me" in web interface and they are accounted in my main account's storage quota, so my goal is reached.

Recommend

  • How to pull attachments from Google Glass item?
  • Caching joined tables in SQL Server
  • How to send email using MailChimp API
  • Cannot convert (Timer!) -> Void to ((CFRunLoopTimer?) ->Void)! - Converting NSTimer extension
  • Adding @NotNull or Pattern constraints on List
  • EF Code First Foreign Key's
  • What are aliases in elasticsearch for?
  • how to insert data into multiple tables through ItemWriter
  • Spring batch error tolerance
  • How to send image as base64 string in JSON using HTTP POST in Android?
  • networkstream “cannot access a disposed object” when using newly created networkstream
  • SQL Count. How can I count how many distinct values are in a table when an other two columns are mat
  • Complicated COUNT query in MySQL
  • Grails eager fetch doesn't retrieve all data
  • Passing data from partial view inside a modal to the main view and then close the modal
  • How to extract a number from a string [duplicate]
  • Google Calendar Api is not showing event list
  • 3D Math: Calculate Bank (Roll) angle from Look and Up orthogonal vectors
  • How to get a list with description of all dba packages
  • Yii2 Login with database
  • Action Pack components in Rails
  • How to make JSON.NET deserialize to Microsoft Date Time?
  • Button click event not firing in jQuery
  • RectangularRangeIndicator format like triangular using dojo
  • Cross-Platform Protobuf Serialization
  • Revoking OAuth Access Token Results in 404 Not Found
  • How can I get HTML syntax highlighting in my editor for CakePHP?
  • How do I configure my settings file to work with unit tests?
  • IndexOutOfRangeException on multidimensional array despite using GetLength check
  • Authorize attributes not working in MVC 4
  • EntityFramework adding new object to nested object collection
  • XCode 8, some methods disappeared ? ex: layoutAttributesClass() -> AnyClass
  • Busy indicator not showing up in wpf window [duplicate]
  • Binding checkboxes to object values in AngularJs
  • Observable and ngFor in Angular 2
  • How to Embed XSL into XML
  • UserPrincipal.Current returns apppool on IIS
  • Conditional In-Line CSS for IE and Others?
  • Python/Django TangoWithDjango Models and Databases
  • Net Present Value in Excel for Grouped Recurring CF