Jump to content
Covecube Inc.
  • 0
womegunite

Service Account or GDrive AppData

Question

I want to hide CloudDrive's activity from the rest of my GDrive. There are 2 ways to do this. Have the app use the special hidden AppData folder within GDrive, or to use a Service Account. I have created Service Accounts for use with Cloudberry Backup, and it works great. Can CloudDrive be manually set-up to do this, or would this have to be a feature request?

Share this post


Link to post
Share on other sites

8 answers to this question

Recommended Posts

  • 0

Here is the Google Cloud doc about service accounts: https://cloud.google.com/iam/docs/service-accounts?hl=en_US.

Anyone with a G Suite account, and therefore a Drive account, I believe can create a project in GCP and create a Service Account, however I know that anyone with at least the $10/month version of G Suite can do this. The Service Account is then given Drive API access. The Service Account will then share quota with the other members, but for all intents has its own Drive. Nothing the SA does shows up in anyone else's account, unless purposefully made to manipulate other accounts. I can't confirm it, but I'm pretty sure it has its own per-user API limit, as any other user does. Furthermore, it would allow me to separate out accounts for different uses and exposure, in case crypto-malware were to hit. I'm using this tactic with Cloudberry Backup to sync to a Service Account all on its own, while still allowing me to expose the main Drive to the PC without fear that malware would ruin everything.

Share this post


Link to post
Share on other sites
  • 0

Ah, okay. I don't know why I wasn't able to find that page though... maybe my google-fu was off! 

Service accounts may not be suitable, because of how they work. 

As for the appdata folder, I'll submit a request.  But I suspect that the way we handle authentication may cause issues with this. 

https://stablebit.com/Admin/IssueAnalysis/27692

Share this post


Link to post
Share on other sites
  • 0

I'd love to hear what it is about service accounts that would make then unsuitable. Maybe there is something I'm missing with the way I'm using mine, unless you are just talking about the certificate.

On the second point, can you elaborate a bit?

Share this post


Link to post
Share on other sites
  • 0

From here: https://developers.google.com/drive/v3/web/appdata

Quote

The 'Application Data folder' is a special folder that is only accessible by your application. Its content is hidden from the user, and from other apps. Despite being hidden from the user, the Application Data folder is stored on the user's Drive and therefore uses the user's Drive storage quota.

We use a pool of keys.  That means that you would ABSOLUTELY have to get the same App ID again.  This means it would be a gamble if your drive shows up, at all.  

So no, we couldn't do that.  At best, we may be able to add support for a custom path in the future. 

Share this post


Link to post
Share on other sites
  • 0
1 hour ago, Christopher (Drashna) said:

From here: https://developers.google.com/drive/v3/web/appdata

We use a pool of keys.  That means that you would ABSOLUTELY have to get the same App ID again.  This means it would be a gamble if your drive shows up, at all.  

So no, we couldn't do that.  At best, we may be able to add support for a custom path in the future. 

Alright. Custom Path would be the best route then, with support for Team Drives (rclone can recognize them, so I know the API is there). So long as the number of potential files stays under 100k, then a Team Drive would hide that activity from my main account. For the crypto-malware issue, I'll just have to use another software that supports service accounts, and back-up the files in the Cloud-Drive (could do a direct copy of the CD files, I suppose).

 

Are you sure the service account can't be used?

Share this post


Link to post
Share on other sites
  • 0
On 12/9/2017 at 8:32 PM, womegunite said:

Are you sure the service account can't be used?

Yes.  A service account can only see data it created.  Since we use multiple accounts to reduce load, the next time you authorize the drive, you would likely see nothing.   Not exactly good behavior! 

Also, normal access to the files is blocked. There are cases that we need to grab the "-METADATA" file, and this would be impossible, as well (from what I understand)

 

Share this post


Link to post
Share on other sites
  • 0
18 minutes ago, Christopher (Drashna) said:

Yes.  A service account can only see data it created.  Since we use multiple accounts to reduce load, the next time you authorize the drive, you would likely see nothing.   Not exactly good behavior! 

Also, normal access to the files is blocked. There are cases that we need to grab the "-METADATA" file, and this would be impossible, as well (from what I understand)

 

I can probably test the first part. I'll use the same service account for two different apps. Cloud berry, and probably rclone. If I can see data from both apps then the first part is not a problem, right?

I'm not quite sure what you mean in the second part. How would I be able see this file normally, so I can try to replicate with service account?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...