Ownership of Google Drive files and Service Account using API

Question

Do Service Accounts created in the Developers Console for a specific apps user (e.g. user@mydomain.com) have access to the app user's documents? If I set the account in the AssertionCredentials() like this:

$credentials = new Google_Auth_AssertionCredentials(...);
$credentials->sub = "user@mydomain.com";

I receive the following error:

PHP Fatal error:
Uncaught exception 'Google_Auth_Exception' with message
'Error refreshing the OAuth2 token, message:'{
  "error" : "unauthorized_client",
  "error_description" : "Unauthorized client or scope in request."
}

When I don't set $credentials->sub = "user@mydomain.com" I am able to access the drive but I only see the one document "How to get started with Drive".

If I create the document on the Service Account, is there any way to transfer ownership of the document to my apps account without enabling domain wide delegation?

score 1 · Accepted Answer · answered Jul 23 '15 at 21:39

Service Accounts are essentially their own accounts when it comes to Drive REST API, however this behavior appears inconsistent with the Google Calendar API where the Service Account can impersonate the owner accounts without domain-wide delegation. If you share any document with the Service Account email address provided in the Developers Console that document becomes accessible to the Service Account, however ownership transfer is not possible because the two accounts don't exist on the same domain.

score -3 · Answer 2 · answered Jul 23 '15 at 19:21

Do Service Accounts created in the Developer's Console for a specific apps user (e.g. user@mydomain.com) have access to the app user's documents?

No

I am able to access the drive but I only see the one document "How to get started with Drive".

What did you expect? You've created a new account so it has a single welcome file.

If I create the document on the Service Account, is there any way to transfer ownership of the document to my apps account without enabling domain wide delegation?

Are you sure you've understood what a Service Account is? If you want the files in your account, then use a token for your account and stop using an intermediate Service Account.

Where do you get your information? I don't think YOU understand what a service account is based on your answer. — upful, Jul 23 '15 at 20:41

Ownership of Google Drive files and Service Account using API

2 Answers2

Linked