I've been trying to setup a program that will access a Google Docs file, specifically it should generate PDFs from a template document that is hosted on a shared Drive. This would be easy if I just needed to do it manually with OAuth, however I need this to run for the business without human intervention. To do that, I gather I should use a service account.

The problem is that I can't seem to grant the required permissions to the service account. I can't find any option to add permissions for Google Drive/Docs files to the service account. When giving "Owner" permissions, the program using the service account credentials still throws a 403 "the caller does not have permission" error.

I believe I could give delegation permissions for the service account to impersonate anybody within the anisation, and then it could use that to access the files, but that seems like overkill. I just want to access documents in a specific Drive folder. Is there a better way to get the permissions I need?

I've been trying to setup a program that will access a Google Docs file, specifically it should generate PDFs from a template document that is hosted on a shared Drive. This would be easy if I just needed to do it manually with OAuth, however I need this to run for the business without human intervention. To do that, I gather I should use a service account.

The problem is that I can't seem to grant the required permissions to the service account. I can't find any option to add permissions for Google Drive/Docs files to the service account. When giving "Owner" permissions, the program using the service account credentials still throws a 403 "the caller does not have permission" error.

I believe I could give delegation permissions for the service account to impersonate anybody within the anisation, and then it could use that to access the files, but that seems like overkill. I just want to access documents in a specific Drive folder. Is there a better way to get the permissions I need?

• google-workspace

• 3 This is confusing and Google doesn't (appear) to publish clarification on this. You are correct that you should use a Service Account for your process. Where it becomes complicated is twofold. First, Google Cloud IAM does not include Google Docs (Sheets etc.) services. For these you must continue to use OAuth scopes. Second, if you pay for Google Docs (Sheets etc.) confusingly this group+$$$ is called "Google Workspace" then you can use domain-wide delegation and you'd be able to auth using the Service Account identity. – DazWilkin Commented Mar 17 at 17:56
• 4 If you're not $$$ing for Google Workspace, then to use a Service Account identity, with Google Docs|Sheets etc. you will need to share the Service Account's email address ( often {account}@{project}.iam.gserviceaccount) with the document as if it were a human user. It will gain the permission that you assign to it when you do this. – DazWilkin Commented Mar 17 at 17:59

1 Answer 1

Found a reasonable solution for my specific use case thanks to @dazwilkin - I can share a document or folder with a service account through its email in the same way I would share with a human. Other use cases might require domain wide delegation.