Home > Software engineering >  What is the relationship between AppScript oauth scopes and linked gcp project's scopes?
What is the relationship between AppScript oauth scopes and linked gcp project's scopes?

Time:05-18

I have one question about gcp. Maybe i missed some details from the documentation, if it's the case - sorry) So, i have appscript and i wanted to stream its logs to GCP, so i created GCP project and set project number to appscript.

It works fine, but here is confusing part - appscript has list of oauth scopes required for script execution and oauth scopes can be set also to the linked GCP project.

AppScript properties: enter image description here GCP project properties: enter image description here

So, my question - are those oauth scopes from the gcp project affect appscript permissions? According to my understanding and testing they are completely separate from each other, but i missed detailed explanation from the docs regarding this moment. Could someone for example add some scope to gcp project and it will implicitly affect appscript execution?

CodePudding user response:

About Apps Script project and OAuth consent screen scopes

  • The scopes in your Apps Script project are the ones your code needs to work correctly
  • You can either set them manually in the script manifest or let Apps Script determine and add the needed scopes automatically (you will be ask to authorize them when you run a function after adding code blocks that require additonal scopes)
  • When it comes to the OAuth screen scopes in your GCP project - you only need to set them if you plan to publish your script as a public app / Addon that other users can install and use
  • If you use your GCP project only for private pruposes - e.g. viewing logs, you do not need to do anything about the scopes in the OAuth screen and can disregard the points below
  • If you do want to publish a public Addon - you do need to configure the OAuth consent screen, which means adding there all the scopes your script needs and submit them for verification
  • If the latter applies, you need to provide a justification for why and how you are going to use each single scope in case the scope is a sensitive one, and if a scope is a restricted one - you will need to undergo a pricey Security assessment
  • To avoid unnecessary hassle / costs with the scope verification, try to use as limited scopes as possible
  • For example, if Apps Script automatically awarded the script the scope https://www.googleapis.com/auth/drive - see if a https://www.googleapis.com/auth/drive.readonly or a https://www.googleapis.com/auth/drive.file scope would be enough for your purposes and change it in the manifest manually
  • Related