Google Service Accounts with Json File
Google has added the ability to download the Service account file as JSon. I am not exactly sure when they started offering it I first noticed it about six months ago. Originally when you created a service account you were given a P12 file. I have put together an example of how to use P12, Json and they key by itself. I don’t know how much longer Google will support the p12 file. I think its best to start switching to the Json file as soon as we can.
This code uses the Google .net client library, as an example I am using the new Google Analytics Reporting API V4.
The NuGet package can be found here
PM> Install-Package Google.Apis.AnalyticsReporting.v4
Make sure you create your project using .Net Framework 4.5.
What are Service accounts?
Service accounts are a way of accessing private data without having to authenticate. Service accounts are pre-authenticated by you the developer. I have a long post about service accounts you may want to read Google Developer console service account.
What is a P12 file?
PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key into a single encryptable file. PFX files are usually found with the extensions .pfx and .p12
This file when downloaded was password protected so you couldn’t actually see what was in it. The new Json files arn’t and you can actually open them.
Now that Google offers the option of downloading the Service account Key file as Json, and they state under P12 “for backward compatibility with code using P12 format” I think its a good idea we start using the JSon file when ever possible.
Note: I haven’t read anything any were that states that they will stop support for the P12 files. I just like to be prepared.
Is it possible to read email from GMail using above approch.
The only way i have seen service accounts work with Gmail is with admin directory mixed in. Like for a google work or google domain account. You cant pre-authorize a service account with a normal users gmail.
Awesome question btw 🙂
Really helpful guide with regards to JSON. Makes it super simple to start playing with it myself. Thanks.
Hi, and where could i download the JSON file at the google admin site?
once you create the credentials it should be there for you to download.
really awesome help with the Google drive api. i was wondering what method you’d use re-build the folder structure of a googe drive and then download (“sync”) the files ?
I would probably use file.list using search to limit it to only type folder. Then sort them locally into some kind of parent child link list.
Can you not just use the account login / password to request authorization to access a google drive account via windows application? Do you always have to have a credentials for the account set up?
Using Login and password to access an account is called client login. Google shut down client login in 2015. You will always need to authenticate using Oauth2 or a service account..
I need a service account with unlimited storage for google drive file upload.
My company has unlimited access for google drive for each employee email.
I created a service account under my company email, but it has limited quota for google drive. So this service account is called ‘user maintain service account’. Am I correct?
Is it possible to have a unlimited storage access for a service account. Please give me some details about ‘Google maintained service account’
I think you should check the doucmentation Perform G Suite Domain-Wide Delegation of Authority
It is not possible to get unlimited storage for a service account.
Using the Google Calendar API, I originally built an ASP.NET application for an individual account that after it authenticates the user, will populate a list (this.service.CalendarList.List().Execute() and then looping through each calendarItem and adding them to the list) containing all of that account’s calendars. When one is selected it will bring up that particular calendar to update.
I have been trying to set up a Service Account for the Google Calendar API to be able to allow that account to have domain access over all accounts so I don’t have to set up an account for each individual (could be thousands of setups). The authentication code I used is based off of what you have in this article. I can’t tell if it’s a failure of the authentication or not but there aren’t any records coming into the list.
Service accounts by default don’t have any calendars. If you share a calendar with the service account it doesn’t always get added to its calendar list. You should be able to simply add it yourself manually using the service account. just use calendarlist.insert
Hey Linda, thanks for responding so expeditiously. For the scope, I am using “https://www.googleapis.com/auth/userinfo.profile”,
“https://www.googleapis.com/auth/userinfo.email”, “https://www.googleapis.com/auth/calendar”. Are you saying that even by adding this scope I won’t have calendars added to the service account’s calendar list? If not, is there a way to add all calendars to the Service Account through another admin tool? As I mentioned in the first message, this has to be done for thousands of accounts.
You can take the service account email address and share any calendar you want with it. Think of a service account as a dummy user.
Hi Linda ,
can you suggest any reference source where google service account authentication is implemented usong json file with .net 4.0.
I am unable to find any reference . I need to implement google pub sub api.
This might work GitHub but i cant promise because the Google .net client library doesn’t fully support .net 4.0 anymore. I have never managed to get it fully working on my own without the client library.
Hi Linda, thank you for such excellent articles/information!
How would I do what you’re doing here in your article using nothing but curl? For example, the API Explorer says I use the following to see the ACL list for a given calender (using the Calendar API):
But the following fails with “Login Required”:
$ curl ‘https://www.googleapis.com/calendar/v3/calendars/…/acl?key=…’
Adding the service account email and scope gives the same result:
$ curl ‘https://www.googleapis.com/calendar/v3/calendars/…/acl?key=…&client_email=…&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar’
Posting the service account email and scope as data also gives the same result:
$ curl -d ‘client_email=…&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar’ ‘https://www.googleapis.com/calendar/v3/calendars/…/acl?key=…’
API key wont work as that will only allow you to access public data. You need to be authenticated.
https://gist.github.com/LindaLawton/cff75182aac5fa42930a09f58b63a309 and this https://www.daimto.com/google-authentication-with-curl/
Awesome! Thanks Linda
I’ve used your code with GDrive to get a listing of files through a service account – and it works great. However, for it to work, I need to first share the GDrive file/folder with the Service account’s email address. I found out there is another way for the service account to access the GDrive files without having those files shared with the Service account: By getting the service account to impersonate a GSuite user which will then enable it to access all GDrive files that is accessible to that GSuite user. More information on this can be found on this link: https://github.com/googleapis/google-api-dotnet-client/issues/1238
3 years after this blog post and still rocking. Wanted to migrate my .P12 config to .JSON file and this helped a lot. Many thanks!