Google:服务帐号#
¥Google: Service Account
使用服务账户比 OAuth2 更复杂。开始之前:
¥Using service accounts is more complex than OAuth2. Before you begin:
- 检查你的节点是否为具有服务账户的 compatible。
¥Check if your node is compatible with Service Account.
- 确保你需要使用服务帐号。对于大多数用例,OAuth2 是更好的选择。
¥Make sure you need to use Service Account. For most use cases, OAuth2 is a better option.
- 阅读 Google 关于 创建和管理服务账户 的文档。
¥Read the Google documentation on Creating and managing service accounts.
先决条件#
¥Prerequisites
- 创建 Google Cloud 账户。
¥Create a Google Cloud account.
设置服务帐号#
¥Set up Service Account
将 n8n 凭据连接到 Google 服务帐号共有四个步骤:
¥There are four steps to connecting your n8n credential to a Google Service Account:
¥Create a Google Cloud Console project. 2. 启用 API。
¥Enable APIs. 3. 设置 Google Cloud 服务帐号。
¥Set up Google Cloud Service Account. 4. 完成 n8n 凭据。
创建 Google Cloud Console 项目#
¥Create a Google Cloud Console project
首先,创建一个 Google Cloud Console 项目。如果你已有项目,请跳转至下一部分:
¥First, create a Google Cloud Console project. If you already have a project, jump to the next section:
- Log in to your Google Cloud Console using your Google credentials.
- In the top menu, select the project dropdown in the top navigation and select New project or go directly to the New Project page.
- Enter a Project name and select the Location for your project.
- Select Create.
-
Check the top navigation and make sure the project dropdown has your project selected. If not, select the project you just created.
Check the project dropdown in the Google Cloud top navigation
启用 API#
¥Enable APIs
创建项目后,启用你需要访问的 API:
¥With your project created, enable the APIs you'll need access to:
- Access your Google Cloud Console - Library. Make sure you're in the correct project.
Check the project dropdown in the Google Cloud top navigation - Go to APIs & Services > Library.
- Search for and select the API(s) you want to enable. For example, for the Gmail node, search for and enable the Gmail API.
-
Some integrations require other APIs or require you to request access:
- Google Perspective: Request API Access.
- Google Ads: Get a Developer Token.
Google Drive API required
The following integrations require the Google Drive API, as well as their own API:
- Google Docs
- Google Sheets
- Google Slides
Google Vertex AI API
In addition to the Vertex AI API you will also need to enable the Cloud Resource Manager API.
-
Select ENABLE.
设置 Google Cloud 服务帐号#
¥Set up Google Cloud Service Account
- 访问你的 Google Cloud 控制台 - 库。确保你位于正确的项目中。
¥Access your Google Cloud Console - Library. Make sure you're in the correct project.
1 | |
1 2 | |
- 打开左侧导航菜单,转到“API 和服务”>“凭据”。Google 会将你带到你的凭据页面。
¥Open the left navigation menu and go to APIs & Services > Credentials. Google takes you to your Credentials page. 2. 选择“+ 创建凭据”>“服务账户”。
¥Select + Create credentials > Service account. 3. 在“服务账户名称”中输入名称,在“服务账户 ID”中输入 ID。有关更多信息,请参阅 创建服务账户。
¥Enter a name in Service account name and an ID in Service account ID. Refer to Creating a service account for more information. 4. 选择“创建并继续”。
¥Select Create and continue. 5. 根据你的用例,你可能需要选择角色,并使用相应的部分授予用户对此服务账户的访问权限。
¥Based on your use-case, you may want to Select a role and Grant users access to this service account using the corresponding sections. 6. 选择“完成”。
¥Select Done. 7. 在“服务账户”部分下选择你新建的服务账户。打开“密钥”选项卡。
¥Select your newly created service account under the Service Accounts section. Open the Keys tab. 8. 选择“添加密钥”>“创建新密钥”。
¥Select Add key > Create new key. 9. 在出现的模态框中,选择“JSON”,然后选择“创建”。Google 会将文件保存到你的计算机。
¥In the modal that appears, select JSON, then select CREATE. Google saves the file to your computer.
完成 n8n 凭据#
¥Finish your n8n credential
完成 Google 项目和凭据配置后,完成 n8n 凭据配置:
¥With the Google project and credentials fully configured, finish the n8n credential:
- 打开下载的 JSON 文件。
¥Open the downloaded JSON file.
- 复制
client_email,并将其作为服务账户电子邮件输入到你的 n8n 凭据中。
¥Copy the client_email and enter it in your n8n credential as the Service Account Email.
- 复制
private_key。请勿包含周围的"标记。将此作为私钥输入到你的 n8n 凭据中。
¥Copy the private_key. Don't include the surrounding " marks. Enter this as the Private Key in your n8n credential.
Older versions of n8n
1 | |
- 可选的:选择是否启用 模拟用户(已启用)。
¥Optional: Choose if you want to Impersonate a User (turned on). 1. 要使用此选项,你必须以 Google Workspace 超级管理员身份为服务账户登录 启用域范围委托。
1 | |
-
输入你要模拟的用户的电子邮件地址。
¥Enter the Email of the user you want to impersonate. 5. 如果你计划将此凭据与 HTTP 请求 节点一起使用,请启用“设置为在 HTTP 请求中使用”节点。
¥If you plan to use this credential with the HTTP Request node, turn on Set up for use in HTTP Request node. 1. 启用此设置后,你需要为该节点添加作用域。n8n 预填充一些作用域。有关更多信息,请参阅 OAuth 2.0 Google API 权限范围。
1 | |
- 保存凭据。
¥Save your credentials.
视频#
¥Video
故障排除#
¥Troubleshooting
服务帐号无法访问 Google 云端硬盘文件#
¥Service Account can't access Google Drive files
No access to my drive
Google 已不再允许 2025 年 4 月 15 日之后创建的服务帐号访问 my drive。服务账户现在只能访问共享驱动器。
¥Google no longer allows Service Accounts created after April 15, 2025 to access my drive. Service Accounts now only have access to shared drives.
虽然不推荐,但如果你需要使用服务账户访问 my drive,可以通过 启用域范围委托 来实现。你可以在 社区中的这篇帖子 中了解更多信息。
¥While not recommended, if you need to use a Service Account to access my drive, you can do so by enabling domain-wide delegation. You can learn more in this post in the community.
服务帐号无法访问未与其关联用户电子邮件共享的 Google 云端硬盘文件和文件夹。
¥A Service Account can't access Google Drive files and folders that weren't shared with its associated user email.
- 访问你的 Google Cloud 控制台 并复制你的服务账户电子邮件。
¥Access your Google Cloud Console and copy your Service Account email. 2. 访问你的 Google 云端硬盘 并转到指定的文件或文件夹。
¥Access your Google Drive and go to the designated file or folder. 3. 右键单击文件或文件夹,然后选择“共享”。
¥Right-click on the file or folder and select Share. 4. 将你的服务账户电子邮件地址粘贴到“添加人员和群组”中。
¥Paste your Service Account email into Add People and groups. 5. 选择“编辑器”可获得读写权限,选择“查看器”可获得只读权限。
¥Select Editor for read-write access or Viewer for read-only access.
启用域范围委托#
¥Enable domain-wide delegation
要使用服务账户模拟用户,你必须为该服务账户启用域范围委派。
¥To impersonate a user with a service account, you must enable domain-wide delegation for the service account.
Not recommended
Google 建议你使用 避免使用域范围委派,因为它允许冒充任何用户(包括超级管理员),可能存在安全风险。
¥Google recommends you avoid using domain-wide delegation, as it allows impersonation of any user (including super admins) and can pose a security risk.
要将域级权限委派给服务帐号,你必须是 Google Workspace 网域的超级管理员。然后:
¥To delegate domain-wide authority to a service account, you must be a super administrator for the Google Workspace domain. Then:
- 在你的 Google Workspace 网域的 管理控制台 中,选择汉堡菜单,然后选择“安全”>“访问和数据控制”>“API 控制”。
¥From your Google Workspace domain's Admin console, select the hamburger menu, then select Security > Access and data control > API Controls. 2. 在“域范围委派”窗格中,选择“管理域范围委派”。
¥In the Domain wide delegation pane, select Manage Domain Wide Delegation. 3. 选择添加新的。
¥Select Add new. 4. 在“客户端 ID”字段中,输入服务账户的客户端 ID。获取客户端 ID:
¥In the Client ID field, enter the service account's Client ID. To get the Client ID:
-
打开你的 Google Cloud Console 项目,然后打开 服务账户 页面。
¥Open your Google Cloud Console project, then open the Service Accounts page.
-
复制 OAuth 2 客户端 ID,并将其用作域范围委托的客户端 ID。
¥Copy the OAuth 2 Client ID and use this as the Client ID for the Domain Wide Delegation. 5. 在“OAuth 范围”字段中,输入以逗号分隔的范围列表,以授予你的应用访问权限。例如,如果你的应用需要对 Google Drive API 和 Google Calendar API 进行域范围内的完全访问,请输入:
https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar。
¥In the OAuth scopes field, enter a list of comma-separate scopes to grant your application access. For example, if your application needs domain-wide full access to the Google Drive API and the Google Calendar API, enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar.
6. 选择“授权”。
¥Select Authorize.
模拟工作区中的所有用户可能需要 5 分钟到 24 小时不等。
¥It can take from 5 minutes up to 24 hours before you can impersonate all users in your Workspace.