Out of domain user cannot deploy web app in shared drive

[Zach Kreutzjans]

Hi,

I am having a problem where an out of domain user cannot deploy a web app from a shared drive. The error is screenshotted on the attached file. I cannot find any settings to allow this to happen or any reason why it might be disabled.

This stems from the need to have an embedded web app in a google site only accessible to those who are in the shared drive where the google site is.

[Clark Lind]

Looks like no one has answered this yet. I think what you are calling a "problem" is actually a "feature". Domains are designed to keep people out. The solution is to add the person to your domain, or maybe create a different domain.

[dimud...@gmail.com]

Agreed.

Shared Drives are a feature exclusive to paid Google Domain accounts.

Out of domain users should never be able to access a shared drive. 

[Zach Kreutzjans]

That is not correct. Out of domain users can do everything in a shared drive except create it. I have tested this and the only app not abiding by this is apps script. I am just wondering why.

--
You received this message because you are subscribed to a topic in the Google Groups "Google Apps Script Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-script-community/4_3BofuX8QA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-script-c...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/5cbfe3ac-00ae-4678-8980-2d4c629c74fan%40googlegroups.com.

[Alan Wells]

The documentation for deploying a Web App, and Shared Drives is at:

https://developers.google.com/apps-script/guides/web#deploy_a_script_as_a_web_app

https://developers.google.com/apps-script/guides/collaborating#collaborating_with_shared_drives

The documentation states:

Quote:

When you use shared drives to collaborate on Apps Script projects, keep the following in mind:

1. Collaborators with editor access to a shared drive are able to create or move new files into the shared drive. As script editors, they can view and edit scripts projects, run script code, create new script versions, publish add-ons, and deploy scripts as web apps or executables for the Apps Script API.

End Quote.

The documentation states that collaborators can deploy scripts as web apps.  It doesn't make a distinction between collaborators that are in or out of the domain.

The documentation could be incomplete, or maybe out of domain collaborators actually should be able to publish a web app.

You could create an issue on the Issue Tracker, and make your case that according to the documentation it should be allowed.

https://issuetracker.google.com/issues

They may respond with whether it's considered a bug, or expected behavior.

Note that it's a lot easier for them to tell you that it's expected behavior, and that way they don't need to do any work if it actually is a bug.  That could happen.  If it truly is a security issue that is a feature, then it should be explained in the documentation.  

There is a "Send Feedback" button at the bottom of the page of the documentation.  I think the last time I used it, it was almost impossible to submit feedback, but you could try.

[Zach Kreutzjans]

Thank you very much for your response. I did not know that it just being excluded from documentation would warrant an bug report, just thought I was misunderstanding it. I will be posting it tomorrow.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/947ffbcd-c840-4633-9a08-bc81efae2b14n%40googlegroups.com.

[dimud...@gmail.com]

I stand corrected. 

Apparently it is possible to grant out-of-domain users access to a shared drive (https://support.google.com/a/answer/7212025?hl=en#zippy=%2Cwhat-can-you-do-with-shared-drives). A bit scary from a security standpoint, but doable.

If an out-of-domain user cannot deploy a web-app directly from the App Script GUI, there may be a way to work around that by using a service account to do it programmatically instead.

Just spit-balling here, but it should be possible with the following steps:

• Assign the GAS project to a GCP project
• Create a service-account under that GCP Project
• Create credentials/keys for the service account
• Restrict the scopes and/or permissions of that service account to the Apps Script API for that GCP Project (see Best Practices)
• Grant the service-account write/edit access to the GAS project (service accounts have an id that doubles as an email address that you can use for that) 
• Out-of-domain user can then deploy Web Apps programmatically by invoking the Apps Script API (via UrlFetchApp) in one of two ways:
  • Using service-account keys/credentials generated under the GCP project in tandem with the GAS OAuth2 library to generate access tokens
  • OR, and I'm not sure if this would work, allow the user to impersonate the service account (might need to add special roles and/or scopes at the GCP project level and in the GAS project's manifest)