Google Developer console service account 24


Terminal  Server

Are you in the process of developing an application designed to incorporate one one or more of the Google APIs? Do you already have an application and want to add Google data to it? Before you can access most of the Google APIs you must register your project on Google Developers console.

This post number six in my six part beginning Google Development series, which started with the post Google Development for beginners and continued with registering a project with Google,  Google Developers console APIs and then we created public API key credentials, and OAuth 2.0 credentials.   Now we are going to build upon our new project on Google Developers console by adding service account credentials.

In this post we will discuss when we would want to use a service account and how to add it to our project on Google Developers console.

Let us get started ….

What is a Service account?

Googles definition of a service account is slightly different then my own.   The following comes from Googles page Using OAuth 2.0 for Server to Server Applications

The Google OAuth 2.0 system supports server-to-server interactions such as those between a web application and a Google service. For this scenario you need a service account, which is an account that belongs to your application instead of to an individual end user. Your application calls Google APIs on behalf of the service account, so users aren’t directly involved. This scenario is sometimes called “two-legged OAuth,” or “2LO.” (The related term “three-legged OAuth” refers to scenarios in which your application calls Google APIs on behalf of end users, and in which user consent is sometimes required.)

To me this means that if you are using a service running in the background that you would want to use a service account.    In my opinion this is not his is not entirely true, in some instances you can also use OAuth 2.0 credentials in a background process on the server and sometimes you might want to use a service account on a website realtime.

My definition of a service account would be for pre-authorized access to public and private Google data without user consent at run-time.

Meeting room example

A company has a group of meeting rooms, each room can be booked for meetings.     Now I would create a service account for this.    A service account has its own Google Calendar account so we can create a new calendar called bookings for each of the rooms.       When an employee wants to book a room I would insert an event into the calendar for that room.

Drawback to this would be that there is no Google Calendar web view for the service accounts calendars so I would have to create a web application or windows application to allow the employees to see when a room is booked and who has it booked.

Customer support example

A company has an issue system for customer support where users can upload files contains a stack trace of the errors.       I could create a service account.    I could and have the Service account create a file with the support information,   then I would have the service account upload the stack trace file to Google drive.

A service account has its own Google Drive account.   There are a few issues with service accounts and Google drive file upload.    The first is like with Google Calendar there is no web interface so any files uploaded you won’t be able to see.    A way around this would be to create a directory on the service accounts Google Drive and insert permissions to the directory giving yourself the developer access to see the directory and all the files within.    You could also give the service account access to a directory on your Google drive account by adding the service account email address to the directory like you would any other user.

OAuth 2.0 Credentials as a service.

As you know from the last post in this series Google Developer Console OAuth2 credentials when a user grants you access to there data a refresh token is returned.    If you save this refresh token you can use it at anytime to access their data.

Google Analytics email

A user authenticates your application giving you permission to see there Google Analytics data.   At midnight every night you could use the refresh token you saved and access there Google Analytics data. You could generate a nice PDF file for them of the stats from the day before and email it to them.    Accessing Google Analytics could all be done in a background process on the server so in a way this is a way of automating access to Google Analytics in a background process.

The difference between OAuth 2.0 credentials and Service account Credentials

The main difference is how we got authentication.   Service accounts are pre-authorized.     I can take the service account email address and add it as a user on my Google calendar and it will have access to that calendar, I can add the email address as a user on a fold on my Google drive it will have access, I can add it as a user on my Google Analytics account it will have access.     By adding the service account as a user on the different systems you are pre-authorizing its access to the data.        Also service account authentication never has to be refreshed as long as you don’t delete the pre-authorization authorization will work forever.

With OAuth 2.0 a user has to manually authenticate the access using the consent screen.    Oauth 2.0 consent is not permanent a user can decide at anytime to remove your access.     Access is granted using the refresh token and so has to be refreshed once every hour.

Service accounts don’t work with every Google system.   I know from personal experience that they don’t work with YouTube , and blogger.      If anyone has a list of other Google systems that don’t support service accounts please let me know so I can add them to the list.  

Creating Service account credentials

Google Developers console Service Account Credentials

In the Google Developers console under APIs & auths menu you will find the credentials screen. From credentials screen click the Add credentials button. You will have a choice as to which type of credential you would like to create. Select service account

As it says Service accounts – Enables server-to-server, app-level authentication using robot accounts. for use with Google Cloud APIs.

No before you panic its not just for use with Google Cloud APIs.   To my knowledge service accounts work with most of the Google APIs the only ones I have found that it doesn’t work with are Blogger and YouTube APIs.

Google Developers console Service Account Credentials

 In the next window you have the option of downloading the key pair that identifies the service account.   Its up to you which option you choose I personally only have experience with P12 files.     Think of them as the key that opens the door to Googles data,  without this file you can’t get access.

Google Developers console Service Account Credentials

That’s it we are done, there is no magic in creating a service account on Google Developers console it is all created for you in three clicks.

Notasecret is used in some of the client libraries to authenticate, it literally isn’t a secret because every service account you create will have this same text.

Service account created

Google Developers console Service Account Credentials

Once you have click OK your new service account has been created.

It is very important to keep these keys secret and secure. Do not posted it to open source projects, do not share it with other users, do not release it in your code if a user could view the source and see it. This includes PHP projects such as WordPress plugins, you will have to tell your user how to create their own service account.

On November 5, 2014 Google made a change to the terms of use you can find that change here.

The important thing to remember about it is:

  • Asking developers to make reasonable efforts to keep their private keys private and not embed them in open source projects.

You can read my post about my discussion with the author of the change in the Terms of service about how this will affect open source projects. Changes to the Google API terms of service.

I don’t think there would be anything wrong with giving a user your service account email address and asking them to grant you permissions.   However if you give more the one user the same service account email address it will be up to you to ensure that each user is only able to see their data and not data owned by another user.

Conclusion

You should now understand what a service account is and have an idea of when you might want to use one.

This concludes my Beginning Google development series.   If you have read all the way though this series you should be on the right path to becoming a Google developer.  You should understand how to create a project on Google developers console, how to add APIs to the project and how important it is to keep track of your quota usage.   You should also understand the difference between public and private data, and how to create credentials to access both public and private data.

Welcome to the Google development family I hope this series has helped you get started.


About Linda Lawton

My name is Linda Lawton I have more than 20 years experience working as an application developer and a database expert. I have also been working with Google APIs since 2012 and I have been contributing to the Google .Net client library since 2013. In 2013 I became a a Google Developer Experts for Google Analytics.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

24 thoughts on “Google Developer console service account

  • Steve

    Wow! Thanks. That is one of the best overviews of service accounts that I have come across. As much as I have poured over the google docs I never understood that it was so simple to grant access to a service account. I thought the only way was through the administration page granting domain access to the service account app.

  • Vijay Shah

    My sevice email address is “XXXX@.iam.gserviceaccount.com”. I’m trying to get files from my google drive but not able to get it. I got only one default file “Getting Started.pdf” in response.

  • Fikri

    Hi,

    Nice article. I’m new in using Google API library. So, I want to create php script to post article into Blogger that will run automatically via cron job. I decide to use Service Account to authenticate. I have a problem:

    I can retrieve articles from Blogger, but I cannot send/post article to Blogger, it says :
    { “error”: { “errors”: [ { “domain”: “global”, “reason”: “forbidden”, “message”: “We’re sorry, but you don’t have permission to access this resource.” } ], “code”: 403, “message”: “We’re sorry, but you don’t have permission to access this resource.” } }

    1. I’ve created Service Account from Google API Console
    2. i’ve enabled Blogger API
    3. Download the credential, and call in my codes.
    4. I’m running this only from my computer (localhost).

    Here’s my codes :
    try {
    putenv(‘GOOGLE_APPLICATION_CREDENTIALS=’ . __DIR__ . ‘/../../credentials/BeMine92929929.json’);
    $client = new Google_Client();
    $client->setApplicationName(‘Be Mine’);
    $client->useApplicationDefaultCredentials();
    $client->addScope(Google_Service_Blogger::BLOGGER);
    $token = $client->fetchAccessTokenWithAssertion();
    $client->setAccessToken($token);
    // I dump $token here, and it’s available. token generation is success.

    $service = new Google_Service_Blogger($client);
    $blog = $service->blogs->getByUrl(‘http://bemine.blogspot.com’);

    //this is part for sending post into blogger, which is getting
    //error
    $post = new Google_Service_Blogger_Post();
    $post->setTitle(‘Coba Post Artikel Kedua’);
    $post->setContent(‘Artikel kedua ini dikirim melalui layanan Blogger api.’);
    $service->posts->insert(‘Here Is My Blog ID’, $post);

    //If I comment posting part, and try to get list article of
    //my blog, It success.
    $posts = $service->posts->listPosts($blog->getId());
    //file_put_contents(‘/tmp/anarky.txt’, var_export($posts, true));
    } catch (\Exception $ex) {
    echo $ex->getMessage();
    }

    What do you think I missed?

    Thank you.

  • Drew Adams

    Hi, I am very impressed by your knowledge and wish to get there some day!

    I’m using Oauth to grab Google Analytics Reporting API data.

    It works on my local host but not in live production. Here is what I did in the google console to get it to work:

    Credentials > create credentials > Oauth client ID > Other
    That JSON file works only on localhost. Which mean my code is fine I believe, so I’m positive the problem is how I set up my Credentials in the Google Console.

    I’ve tried to click the Web Application button to set up the Authorized JavaScript origins and Authorized redirect URIs with no success.

    Any pointers?

    • Linda Lawton Post author

      I am going to assume that you are using Oauth2 even though you are commenting on a question about service accounts.

      The code for authenticating Oauth2 web apps is different then the code for say an installed application. The reason it works on your local machine is you have the power of spawning a web browser. When you host that code its going to try and open the web browser on the server which is just not going to work try.

      Try following this web applications let me know if you have any issues i am not a web developer but i may still be able to assist.

    • Linda Lawton Post author

      Exactly service accounts are dummy users, but they are dummy services as well. They are not an actual user so have no need for GUI. Everything you do with them will have to be in the background via the API.

  • Phong

    HI Linda,

    I am doing a website and use Google Drive to keep all of Customer Images. I do well my job if at locathost.

    When I publish on Webserver, It is not working. I think need to config something at my webserver.

    I am looking forward for your advicing.

    Thank you so much.

  • Mike

    Hi, I’m trying to get a Google Drive upload utility working.

    I tested it successfully using my own google drive, but when moving to deploy to another google drive, the utility can’t seem to find any of the folders or files shared with the service account from the main drive.

    The service account can connect just fine, but returns zero folders, despite a few being shared with it.

  • emilio wildberger

    Hi, I’m Emilio Wildberger, I’m creating WebApi with c # and .net 5 please help me
    MY PROBLEM:
    I need to send emails to my clients to validate their user accounts or retrieve passwords.
    I started sending with smtp with some libraries, but gmail blocks the sending of emails,
    and searching the internet I found the Gmail.API service.
    Try by all means to send mail from my webApi with the APIGMAIL
    without USER CONSENT but I can’t get this.
    The library for c # .net exists but it doesn’t work for me by consent,
    what I need would be to obtain the token, create the credential and send the mail to my clients all from my api without asking for user consent
    What are the steps that I should follow so that this works for me in a professional way, and thanks for your support, I hope you can help me, I have been looking for a solution for 6 days

    • Linda Lawton Post author

      >I need to send emails to my clients to validate their user accounts or retrieve passwords.

      You can not get a users password this would be a major security risk.

      >Try by all means to send mail from my webApi with the APIGMAIL without USER CONSENT but I can’t get this.

      You can not send emails from a user without their consent this would be a major security risk. You need a users permission to access their account.

      >what I need would be to obtain the token, create the credential and send the mail to my clients all from my api without asking for user consent

      Private user data is just that private. In order to access private user data you need the users permission. Your going to have to ask them for consent.

      >What are the steps that I should follow so that this works for me in a professional way

      You should use Oauth2 to authorize the user request their consent. Store the refresh token for future use then you will be able to access the users data.

      From a business standpoint you should know that verifying an app using the Gmail API send mail requests is going to cost you between $15k – $75k each year for the security evaluation.

  • Darshil Bhavsar

    Hello Linda Lawton
    I need to upload file in google drive without user signing authentication so can you help me out with code in asp.net mvc or c#

  • Mark

    I got a friend that is working for an NGO overseas. He needed help with traversing through emails and extracting data. This part is working. I now need to append this data to a google spreadsheet so they can perform analysis. In my local testing I used this 2 part auth:
    https://support.google.com/accounts/answer/185839?hl=en&ref_topic=7189195
    https://support.google.com/accounts/answer/185833?hl=en&ref_topic=7189145
    The 16-character password provide was what I was expecting to use. Is there a way to use what allows me access to the emails access to spreadsheets?
    Thank you in advance.