In this tutorial I will show you how to create a google drive application, authorize it to access your account, and query your google drive via the Drive API.
Configuring Your Project
To get started, let’s configure a new project in the google cloud console.
This tutorial assumes you already have a Google Cloud Platform account. If you don’t have one, I’d recommend setting one up now.
Begin creating a new project from the google cloud console: Google Cloud Platform
You can get to the console by going to console.cloud.google.com
Create New Project
Navigate to the Project drop down and create a new project.
Call it whatever you want. I’ll call mine
Drive API Tutorial.
Enabled Drive API
In order to use the Drive API from this project we first need to enable it.
From the project home screen, navigate to the APIs & Services section and choose the Library menu item.
Google Drive and click the
Create New External App
Now we need to configure an OAuth consent screen flow to allow users to authorize our application to query their google drive.
To do this, navigate back to the APIs & Services screen and choose the OAuth consent screen menu item.
If you are using a regular free gmail account, you will only be able to create an external app. If you are part of a business organization you can create an internal app.
Internal apps are easier to work with because they are only accessible to users within your organization and do not require the same verification process as external apps.
For this tutorial though I’m using a regular, free gmail account so we will make an external app.
Configure Permission Scopes
In the app creation dialogue, add two scopes to your application:
The former gives read access to metadata, while the latter gives our app more or less free read and write access within our account.
To read more about scopes and google’s recommendations for how to use them, see the docs linked in the docs here.
Save your new oauth consent screen configuration.
Just a heads up, we will not go through the application verification process in this tutorial.
Now let’s generate a set of credentials for our application.
For this project we will imagine that we are creating some kind of CLI tool to interact with our google drive. For that purpose, we will navigate to
Credentials in the menu and create a new credential of type
Download the credentials.
Authenticating & Providing Authorization
With our project properly configured, it’s time to test out some code.
Clone The Git Repo
I’ve created a git repository with some code we can use to query the Drive API. You can find a link to the repo in the docs here Clone it and cd into the project directory.
git clone firstname.lastname@example.org:jonathanmeier5/google-drive-api-authn-authz-python.git cd google-drive-api-authn-authz-python
If you use https for authentication, you’ll need to grab the appropriate HTTPS link.
I’ve already cloned the repo, so I’m just going to cd into the directory.
Next, install your packages and enter the pipenv virtual env. I don’t have a dockerfile for this project because it’s meant to be quite simple.
pipenv install pipenv shell
Copy Credentials into Project Directory
Copy your credentials file from your downloads directory into your project directory. For me, this meant running:
cp ~/Downloads/client_secret_396439599433-12k7l2u194o6v5p0i9paapa855t6p10d.apps.googleusercontent.com.json credentials.json
quickstart.py to execute your auth flow for the first time and list 10 drive files.
Because we have not authorized this app before we are sent through an oauth authorization flow. This is the screen that we configured earlier in our google cloud project.
We see this warning screen because our application is not verified. If we had created an internal organizational app we would not see this screen.
Give the app authorization to access your account.
When the program completes, you should see 10 files from your drive printed to the screen.
What does quickstart.py do?
Let’s walk through what our quickstart.py script actually does.
At a high level, the script will:
- Retrieve a locally stored refresh token or execute an oauth flow to generate one and store it locally
- Build a Google Drive Service object that we can use to query the API
- Print to the screen 10 files from the google drive account which we authorized access to
Picking these apart one at a time:
This function looks for a file named
token.json. If present, the script reads the file, confirms the credentials have not expired, and uses them to build a
Credential python object.
token.json is found, we execute an auth flow so the user can grant the permissions defined in the
SCOPES variable to your application.
Finally, we return the credentials object.
As before, you can find a list of different Google Drive authorization scopes in the Drive API documentation here
This builds a Service object. Since Google has a lot of APIs to maintain, they publish a REST API and then a discovery document for each API describing the schema of the API and what methods are allowed.
Their language-specific client libraries know how to read these discovery documents and support the functions they describe.
This is the reason why you won’t find any actual methods defined for their client libraries in dynamic languages like Python. They’re all handled on the fly.
The list files method takes a Google Drive service object and calls the
files/ endpoint as defined here in the docs Files: list | Google Drive API | Google Developers.
Notice that we are required to specify the list of fields we want the API to send back to us.
And that’s it. You now have a bit of code that will generate credentials via an oauth flow, store them, and use them to list out files in your drive.