How to Collaborate JWT Service Account
Answered
Hello! Following the advice from this thread that I asked a few weeks ago, I was able to get my app approved for the Box environment; however, we are now undergoing the process for adding the service account as a collaborator to the folders that the JWT service account will need access too.
I feel as if I'm missing some information, since I'm not too aware of how to physically add the "service" account once it was authorized. In fact, I'm not really understanding how to find the service account at all. Using the JWT auth, I am doing this:
from boxsdk import JWTAuth
from boxsdk import Client
import config
auth = JWTAuth(
client_id=config.client_id,
client_secret=config.client_secret,
enterprise_id=config.enterprise_id,
jwt_key_id=config.public_key_id,
rsa_private_key_data=config.private_key,
rsa_private_key_passphrase=config.passphrase
)
access_token = auth.authenticate_instance()
client = Client(auth)
# print(client.file(file_id='***number removed for privacy***9').get()['name'])This code will run successfully; however, if you uncomment out the print() statement (and place the correct file_id) it fails immediately from a 404 error. My guess is that it cannot open the already-created files since it was not added as collaborator, so it cannot see them. Do I need to create a new user with the JWT app, then add that new user as a collaborator? Then enforce the JWT app to use that newly created user as it's main connection into Box?
Or, is there a simpler method? I currently have the "Application" scope selected with only Read/Write on all files & folders. I would have to additionally add "Manage Users" if I wanted to go the route of having to create a new user.
End Goal: Have the service account programmatically create sub-folders (in specific primary folders we give it access to) and upload word documents.
-
Hi , great question!
Let's get the quick stuff out of the way - to find info on your service account, you can use the "Get Current User" method:
https://github.com/box/box-python-sdk/blob/master/docs/usage/user.md#get-the-current-users-informationcurrent_user = client.user().get()
This will give you back the standard set of user information like "login" and "user id".
Giving access to your service account and content sounds like the part you're getting hung up on, and that's ok! I'm a visual learner, and working through permissions hierarchies was weird for me at first too.
You don't need to create alternate box accounts or app users and collaborate them into each individual file. The most common way to achieve your desired end result is to invite the service account as a collaborator to the top-level folder, where the service account would then have access to the child folders. Since your app is rather restricted via its scopes, it won't be able to add itself to your select primary folders, so the easier way to do it is to invite the "login" of the service account as a collaborator to the primary folder via the UI on Box.com. If you used your own admin account, that would do the trick.
For next steps, try this:- Get the login/user ID fields for your service account
- In the UI, add the "login" for your service account as a collaborator to your primary folder (you said there's only a few, correct? If so this should be OK to do manually as a one-time operation. If you anticipate needing to access more primary folders on a programmatic basis, you might have to open up your scopes a bit).
- Once your service account is a collaborator, you can then create your folder structure and upload a file / interact with that file.
I hope that helps - please let me know how it goes!
Thanks,
Jason
-
Thank you ! Following your advice, I was able to confirm that I was authenticated as the service account user; however, in our environment, we add collaborators by email (searching by my app's name didn't work). After working with my Box admin a bit, he gave me just enough permissions to add an email alias to the App so that we could add it as an editor to specific folders. He revoked those permissions, and now I'm achieving my end goal of adding the box app as a collaborator to folders I have access to.
Thanks for your help!
-
just like you here described: ’ The most common way to achieve your desired end result is to invite the service account as a collaborator to the top-level folder, where the service account would then have access to the child folders. ‘
I also saw the answer of in this question: JWT access folders and files
He said there are two ways : 'The simplest way to gain access to a folder owned by another user is to either collaborate (share) that folder with the service account, or to explicitly authenticate as that user with the As-User header. '
What I want is that this service account could access the content of this folder, which my box'account is co-owner of this folder. And I decided first try to share the folder with the service account. What I found on UI is, I could share the folder with adding Email address. But the service account I just know the user_id, not the Email address. Could you tell me more in detail how could I share a folder to a service account? Thanks!
-
We'd advice using the actual API to add the user as a collaborator to the folder. But if you want you can use this API to get the current user's email https://developer.box.com/reference/get-users-me/
Please sign in to leave a comment.
Comments
6 comments