Querying Google Drive files by label is failing
I need some help as I'm smashing my head on a wall.
I need to write a script to run periodically on lambda that will pull values from some sheets in google drive. The most straightforward way of finding these is to use the gdrive labels feature. We've enabled it, created the label, and tagged some files.
I can then use the api explorer to query for all files with that label using this query
'labels/LYBX-my-label-id-bFcb' in labels
I can also grab what my browser sent out and run it locally in postman or node/whatever. It works and returns the expected file listings.
However that is using my personal account credentials and when doing this "for real" we need to use a service account of course. So we created a GCP project with a service account, and I'm using the googleapiclient python package. I store the secret for that service account in aws secretmanager, fetch it, and configure my instance of the drive resource with it.
This all works. I can use it to call drive.files().get(...) and drive.files().list(...) and fetch data on files using all sorts of queries except the one I use above for the label. When I do that query I get back a 400 error that complains about the q (query) parameter.
Now I've dropped down to the level of the url itself, and the exact GET request url that my python script logs works when I use my personal bearer token. I'm pretty sure therefore that this is not in fact a bad parameter issue and that's instead just a case of google being godawful at api design and returning crappy error codes.
So I'm thinking that this has to be a permission issue, but I have no clue what permissions are required to allow an account to search by gdrive labels nor how I would go about granting those permissions to a service account.
Another possible clue is that drive.files().listLabels(fileId="...") on a file that I know has labels seems to fail, so again all points to some sort of permission being missing but its unclear which nor how to set those up on service accounts.
SUGGESTION
Note: Since I do not have visibility of your actual script, you can consider this answer as a starting point or reference for fixing the issue in your project. Hopefully, this will resolve your problem.
I conducted my own replication and successfully listed files by using a query based on the label ID with a service account through the process of user impersonation. This should be added in the credential creation phase, where you include a subject parameter to enable the service account to impersonate a user (such as a super admin account or any domain account with the necessary role) for service account delegation.
Test Script
from google.oauth2 import service_account
from googleapiclient.discovery import build
# Path to the service account JSON key file
KEY_FILE = 'sa.json'
# Create credentials from the service account key file & Build the service object
credentials = service_account.Credentials.from_service_account_file(
KEY_FILE, scopes=['https://www.googleapis.com/auth/drive',
'https://www.googleapis.com/auth/drive.file',
'https://www.googleapis.com/auth/drive.metadata',
'https://www.googleapis.com/auth/drive.metadata.readonly',
'https://www.googleapis.com/auth/drive.readonly'],
subject="irv@■■■■■■■■■■■■■■.■■■■");
service = build('drive', 'v3', credentials=credentials);
# List files under a label
label_id = "OTVglmjg5BxgxSevMiuLtr6VoaeDwyg66AIRNNEbbFcb";
results = service.files().list(q= f"'labels/{label_id}' in labels").execute()
results
Demo
I have created a test label and tagged it with two files in my drive:
After running the test script:
Reference
- Error 400: invalid_scope with Postman and Google OAuth2
- Firebase Firestore REST Request - Query and Filter
- `IAM_PERMISSION_DENIED` on a deployed service on GCP, but no errors on localhost
- Pyspark on GCP Dataproc - Partial reading of data for gzip encoded Cloud Storage files
- Error 400 invalid JSON Payload Unknown name generationConfig on an AI API Curl command
- Restricting usage for an Android key for a Google API
- Google Cloud Function The request was aborted because there was no available instance
- How to properly create URL Masking for Cloud Functions to create a NEG?
- Deploying an Angular app on Google Cloud with minimal costs
- Cloud Run For Anthos With Terraform
- Flagging a row in new column based on conditions on previous and current rows
- Cant access Firebase Admin SDK via Node.js on my VPS, but I can on my local machine
- TypeError: __call__() missing 1 required positional argument: 'context' error when deploying on GCP
- Why GCP loadbalancer frontend has only two ports enabled?
- New Google place api using google OAuth, ask failed to refresh token
- Is it possible to display context of the search result in gcp logging
- Is there float32 precision on Google TPU?
- BigQuery : is it possible to iterate over an array?
- oauth 2 parameters can only have a single value: scope
- Correct use of gcloud --sort-by combined with --limit
- Is PIVOT Operator supported in Big Query Materialized view?
- App attestation failed with Firebase App check in release on Android
- Why doesn't the offline cloud firestore documentation have code for offline query indexes for flutter?
- _CHANGE_TYPE not working when streaming Google Big Query rows from Pub/Sub
- Migrating from legacy Google FCM to HTTP v1 for push notifications
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Can we update a field due to its value without reading it in firebase?
- Use process.env variables inside next.config.js
- What is the best practice for decoding Firestore documents in a listener for Swift 5?
- How to install Google Cloud SDK app-engine-python on Debian 12?