如何使用服务帐户从应用程序脚本访问云数据存储

How to access cloud datastore from apps script with a service account

尝试使用这样的服务帐户从 google 应用程序脚本访问 google 云数据存储。我从 here 那里得到了样本 我不确定 SCOPE 是否正常,或者是否需要另一个范围。 运行 函数 运行() 给出类似 "Error retrieving token: invalid_scope, https://www.googleapis.com/auth/userinfo.email is not a valid audience string."

的错误
// testing Cloud Datastore access via service account
var PRIVATE_KEY = "-----BEGIN PRIVATE KEY----------END PRIVATE KEY-----\n";
var CLIENT_EMAIL = "xxxxxxxxxxx@appspot.gserviceaccount.com";
var USER_EMAIL = "myemailaddress@mydomain.com";
var CLIENT_ID = "104548139575444821912";
var SCOPE = "https://www.googleapis.com/auth/datastore/v1"; 

/**
 * Authorizes and makes a request to the Cloud Datastore 
 */
function run() {
  var service = getService();
  if (service.hasAccess()) {
    var url = SCOPE;
    var response = UrlFetchApp.fetch(url, {
      headers: {
        Authorization: 'Bearer ' + service.getAccessToken()
      }
    });

    var result = JSON.parse(response.getContentText());
    Logger.log(JSON.stringify(result, null, 2));
  } else {
    Logger.log(service.getLastError());
  }
}

/**
 * Reset the authorization state, so that it can be re-tested.
 */
function reset() {
  getService().reset();
}

/**
 * Configures the service.
 */
function getService() {
  return OAuth2.createService('CloudDatastore:' + USER_EMAIL)
      // Set the endpoint URL.
      .setTokenUrl('https://accounts.google.com/o/oauth2/token')

      // Set the private key and issuer.
      .setPrivateKey(PRIVATE_KEY)
      .setIssuer(CLIENT_EMAIL)
      // .setClientId(CLIENT_ID)

      // Set the name of the user to impersonate. This will only work for
      // Google Apps for Work/EDU accounts whose admin has setup domain-wide
      // delegation:
      // https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
      // .setSubject(USER_EMAIL)

      // Set the property store where authorized tokens should be persisted.
      .setPropertyStore(PropertiesService.getScriptProperties())

      // Set the scope. This must match one of the scopes configured during the
      // setup of domain-wide delegation.
      .setScope('https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/datastore/v1');
}

曾经尝试过完全不请求示例中未说明的范围吗?请求范围 https://www.googleapis.com/auth/datastore。虽然那个 GoogleDrive 示例有 PRIVATE_KEYCLIENT_EMAILUSER_EMAIL(需要分配服务帐户的 PK 和电子邮件地址)...虽然它指出:

// Set the name of the user to impersonate. This will only work for
// Google Apps for Work/EDU accounts whose admin has setup domain-wide delegation:
// https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
.setSubject(USER_EMAIL)

如果您的帐户既不是工作帐户 (GSuite) 也不是教育帐户,您将无法冒充服务帐户;这给您留下了两个选择:a) 不要尝试使用服务帐户冒充任何人,或者 b) 创建一个具有 domain-wide 委托的 GSuite 域。显然不能在类似 gmail.com 的域上做到这一点,委托 off-domain 帐户也行不通;如果它是 GSuite domain, see domain-wide delegation

曾经尝试过 var SCOPES="https://www.googleapis.com/auth/cloud-platform, https://www.googleapis.com/auth/datastore"; 然后 .setScope(SCOPES) 吗?请求 invalid_scope 不会有任何结果,这意味着无效或尚未配置委派。 它指出,

This must match one of the scopes configured during the setup of domain-wide delegation.

Perform G Suite Domain-Wide Delegation of Authority explain it. domain-wide delegations needs to be enabled when creating the service account - and then accordingly delegated in the Admin Console. OAuth2ServiceAccount是ID协议。

在高级设置 > 身份验证 > 管理 API 客户端访问下,需要添加具有相应 API 范围的服务帐户的电子邮件地址(该错误消息就在以前的输入,那里可能需要两个范围):

在 Cloud Console 上,大致相同:

参见 API documentation first. once connected, see the console

在我的 GitHub:

中添加了 rest/v1/projects 的示例(也可以 build/test 那里的请求)

请参阅 CloudDatastore.gs(它从 Google 驱动器加载配置 .json)。