I am hoping to authorise my Cloud Run app (NodeJS + Express + Axios) to be able to Read Google Forms Responses for a handful of Google Forms that I use. The Cloud Run App is to act as an API that collates and formats the responses from the Forms. I have everything working apart from the need to authorise the Cloud Run app using OAuth. In my tests I am able to achieve this using Insomnia, which presents me with the login screen to achieve OAuth, but in deployment this will not be an option because another App (Discord bot) will be accessing the API.
My question is, can I not authorise the Cloud Run App (via Service Account or IAM) to be allowed to access those forms (Read is all that is required) permanently?
I opted for GCP on the basis that the one element of this project that I could not change is the Google Forms used for collecting the responses – so, possibly naively, I thought GCP would be the easiest to handle permissions for Google Forms, since they’re in the same ecosystem.
I tried handling OAuth via the Express App, leveraging service accounts / tokens, but this cannot (as far as I could tell) authorise itself without the end-user needing to log in to an OAuth screen with a valid google account.
I tried accessing Forms API using other forms of authentication – it seems to be that the Forms API only works with OAuth.
I tried granting ‘Editor’ access to the Cloud Run service account for each of the forms.
- side note: in my trial-and-error approach I now have many service accounts – is there an easy way to find out which service account my Cloud Run app is actually ‘running as’?
I have created a workaround for now (which sucks) which is to use a Google Apps Script to pull the Google Forms data and return it (so now I have my first custom API (Cloud Run) performing a GET request on a second custom API (Apps Script)). This works, apart from the fact that the Apps Script needs to be manually authorised every 7 days (authorisation on a ‘testing’ apps script lasts for 7 days only). This solution is no good to me.
Note: I am not a workspace user – I am using Free Tier of GCP. This is a hobby project.
- The apps script and cloud run app are in the same GCP Project
- I have attempted to leverage service accounts, but cannot work out how they help in this situation (there appear to be no ‘permissions’ options relevant to google forms)
- My own research suggests that, in fact, what I’m doing cannot be done (if someone who knows GCP IAM / permissions really well can confirm this for me, then that would be a valid answer)