Open martindurant opened 2 years ago
I'll see what I can do to get the app re-verified for this scope.
FWIW, I'd expect https://www.googleapis.com/auth/cloud-platform
scope to work which provides a similar level of access.
Isn't that a much broader level of permission? Have you seen that scope working?
I'm not sure how much broader it is. It's actually quite difficult to verify what access is and isn't granted with regards to scopes. For this reason, Google Cloud hasn't introduced new scopes in a long time. You'll notice that most of the products in https://developers.google.com/identity/protocols/oauth2/scopes only support https://www.googleapis.com/auth/cloud-platform
or https://www.googleapis.com/auth/cloud-platform.read-only
.
For applications that require narrow permissions service accounts with limited IAM permissions are the expected way to limit access. There's a little "delegated request permissions with short-lived token" dance you can do to exchange one kind of credentials for the credentials of a service account with limited permissions. https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-delegated
That all said, I can request "https://www.googleapis.com/auth/devstorage.read_write"
permissions for the pydata-google-auth
app. I'll just need to provide sufficient justification and check that our privacy policy is up-to-date.
most of the products in https://developers.google.com/identity/protocols/oauth2/scopes only support https://www.googleapis.com/auth/cloud-platform
That's probably good enough for me
Looks like I need to re-submit for verification anyway. Somehow it lost it.
Please let me know when this happens.
The following line works OK for me to get credentials for gdrive:
but the following line
results in
(same for "read_only" or "full_control").
Ref: https://github.com/fsspec/gcsfs/issues/261