Security and permissions required for Google Docs
Learn about the permissions Cloudpress requires to your Google Account as well as other related security issues when using Google accounts in Cloudpress
Introduction
To read the contents of your Google Docs, Cloudpress requires you to permit us to access your account. The request for these permissions happens when you install the Cloudpress Google Docs Add-on or export a Google Doc from the Export Content page.
In this document, we’ll look at the following:
- The permissions required by Cloudpress and the reason we require those permissions
- General guidance on how we manage access tokens
- Reviewing the permissions
- Revoking the permissions
- Mitigating steps you can take
Required permissions
Cloudpress requires the permissions listed in the image below.
Let’s look at each of these in more detail.
- View and manage documents this application has been installed in. The Cloudpress Google Docs Add-on requires this permission to launch itself in the active document. Without this permission, our Google Docs Add-on cannot be loaded in the sidebar of the active document.
- See all your Google documents. This permission gives us read-only access to your documents so we can read the content of the documents. We only have access to the specific documents you give us access to as per the permission below.
- See, edit, create and delete only the specific Google Drive files that you use with this app. This gives us access to the content of the specific documents you select via the Google Drive picker on the Export Content page or by opening the Cloudpress Google Docs add-on in a specific document.
- Connect to an external service. The Cloudpress Google Docs Add-on requires this permission as it allows the Add-on to make HTTP calls to the Cloudpress backend to display the list of connections, queue the document for export, and query the export status of a document.
We have had questions about permission 2 and 3 above, as they appear similar. Cloudpress requires both these permissions to access the documents on your Google Drive and read the contents of the documents.
We do not have access to any documents you do not explicitly give us access to either by selecting the document with the Google Drive picker on the Export Content page or by opening the Cloudpress Google Docs Add-on in the document.
As a summary, you can find the permissions we require listed in the table below, along with the Google Scope tied to that permission. The table also indicates whether the Cloudpress Google Docs Add-on and the Export Content page require that permission.
| Permission | Scope | Google Docs Add-on | Export Content page |
|---|---|---|---|
| View and manage documents this application has been installed in | https://www.googleapis.com/auth/documents.currentonly | Yes | No |
| See all your Google documents | https://www.googleapis.com/auth/documents.readonly | Yes | Yes |
| See, edit, create and delete only the specific Google Drive files that you use with this app. | https://www.googleapis.com/auth/drive.file | Yes | Yes |
| Connect to an external service | https://www.googleapis.com/auth/script.external_request | Yes | No |
Our use of access tokens
When you give Cloudpress permission to access your account, Google issues Cloudpress with an access token, allowing us to communicate with the Google Docs APIs to read the document contents. You can think of these access tokens as a security key that gives us access to the specific piece(s) of information you told Google to give us access to.
Usage in the Cloudpress Google Docs Add-on
When using the Cloudpress Google Docs Add-on, we (Cloudpress) never have access to the access token. Google handles the authentication and passing of access tokens transparently when calling the Google Docs APIs. Since we never have access to the access token in the first place, we can’t access your document contents once you close the Cloudpress Google Docs Add-on.
Usage in the Export Content page
When using the Export Content page, we obtain a short-lived access token (valid for 60 minutes) each time you click on the “Select Documents…” button on that page. This access token is stored in the browser memory and not in any browser storage (i.e. cookies, local storage, session storage, etc.). The access token is also never sent to the Cloudpress servers.
The token is used by the Google Drive picker on that page, allowing you to select the documents you want to export. Once you select the documents to export, we use the access token (from inside your browser) to call the Google Docs APIs to download the document content. We then sent only the document contents to the Cloudpress servers. Once the document is exported, this document content is also deleted from our servers.
Also, remember that the access token we obtain is only valid for 60 minutes, so it is impossible to access your account for an extended period with this access token.
Viewing and removing Cloudpress permissions
You can view Cloudpress’s permissions to your account by going to your Google Account page at https://myaccount.google.com/. From there, navigate to the Security section in the sidebar.
Scroll down to the section labelled “Your connections to third-party apps & services” and click on See all connections.
Click on Cloudpress.
You will see a screen similar to the one below.
Click on See details to review all permission Cloudpress has to your account.
To remove our access to your account, click the Remove access button and complete the confirmation steps.
Mitigating steps
As indicated previously, we do not have access to any documents you do not explicitly give us access to. However, we understand that, in some cases, you may still feel uncomfortable that Cloudpress may have access to your documents on Google Drive. In situations like these, we suggest the following alternatives.
Use the Cloudpress Google Docs Add-on
If your concern is about us using the access token for unauthorized access to your account, we suggest using the Cloudpress Google Docs Add-on rather than the Export Content page. As stated above, when you use the Add-on, we never even have access to the access token in the first place since Google handles it transparently on our behalf. Therefore, we cannot access your account outside of the period that you use the Cloudpress Google Docs Add-on.
Create a dedicated, locked-down account
You can create a separate, dedicated Google account for use by Cloudpress. You can lock that account down by only giving it access to the documents you want to export using Cloudpress. You can do this by either sharing the relevant documents with that account on a per-document basis or storing all the documents in a specific folder on your Google Drive and then sharing that folder with this account.
Use Zapier or Make to create an automation
You may already use Zapier or Make to automate some of your processes and trust them more with access to your Google account than an unknown player like Cloudpress. If either of these already has access to your Google accounts, you may consider creating an automated workflow with Zapier or Make to export your content.
We are working on proper tutorials for these, but in the meantime, you can look at the following blog post.