Security and permissions required for Google Accounts
Learn about the permissions Cloudpress requires to your Google Account as well as other related security issues when using Google accounts in Cloudpress
Introduction
To read the contents of your Google Docs, Cloudpress requires you to give us to access your account. The request for these permissions happens when you install the Google Docs Add-on or Connect a Google Drive account.
In this document, we’ll look at the following:
- The permissions required by Cloudpress and the reason we require those permissions
- General guidance on how we manage access tokens
- Reviewing the permissions
- Revoking the permissions
- Mitigating steps you can take
Required permissions
The list of permissions requested are slightly different when installing the Google Docs Add-on vs connecting a Google Drive account in Cloudpress. You can review each of these separately below.
As a summary, you can find the permissions we require listed in the table below, along with the Google Scope tied to that permission. The table also indicates whether the permission is required by Cloudpress Google Docs Add-on and the Google Drive Connection. Below each permission is a brief description of why we require that permission.
| Permission | Scope | Google Docs add-on | Google Drive Connection |
|---|---|---|---|
See, edit, create and delete only the specific Google Drive files that you use with this app. | ../auth/drive.file | Yes | Yes |
This gives us access to the content of the specific documents you select via the Google Drive picker inside the Cloudpress application or by opening the Cloudpress Google Docs add-on in a specific document. | |||
View and manage documents this application has been installed in | ../auth/documents.currentonly | Yes | No |
The Google Docs Add-on requires this permission to launch itself in the active document. Without this permission, our Google Docs Add-on cannot be loaded in the sidebar of the active document. | |||
| See all your Google documents | ../auth/documents.readonly | Yes | Yes |
This permission gives us read-only access to your documents so we can read the content of the documents. | |||
See, edit, create, and delete all your Google Sheets spreadsheets | ../auth/spreadsheets | No | Yes |
This permission gives us access to read and update any of your Google Sheets. | |||
| Connect to an external service | ../auth/script.external_request | Yes | No |
The Cloudpress Google Docs Add-on requires this permission as it allows the Add-on to make HTTP calls to the Cloudpress backend to display the list of connections, queue the document for export, and query the export status of a document. | |||
We do not have access to any documents you do not explicitly give us access to either by selecting the document with the Google Drive picker inside the Cloudpress application or by opening the Cloudpress Google Docs Add-on in the document.
Our use of access tokens
When you give Cloudpress permission to access your account, Google issues Cloudpress with an access token, allowing us to communicate with the Google Docs APIs to read the document contents. You can think of these access tokens as a security key that gives us access to the specific piece(s) of information you told Google to give us access to.
Usage in the Cloudpress Google Docs Add-on
When using the Cloudpress Google Docs Add-on, we (Cloudpress) never have access to the access token. Google handles the authentication and passing of access tokens transparently when calling the Google Docs APIs. Since we never have access to the access token in the first place, we can’t access your document contents once you close the Cloudpress Google Docs Add-on.
Usage in a Google Drive Connection
When you create Google Drive connection in the Cloudpress application, we obtain an access token (valid for 60 minutes) as well as a refresh token. Both of these are stored in a secure, encrypted fashion in our infrastructure using an encryption key that only our application has access to.
Everytime you open the Google Drive picker, Cloudpress generates a short lived access token, allowing you to select the documents you want to export. Once you select the documents to export, we use the access token to call the Google Docs APIs to download the document content.
Viewing and removing Cloudpress permissions
You can view Cloudpress’s permissions to your account by going to your Google Account page at https://myaccount.google.com/. From there, navigate to the Security section in the sidebar.
Scroll down to the section labelled “Your connections to third-party apps & services” and click on See all connections.
Click on Cloudpress.
You will see a screen similar to the one below.
Click on See details to review all permission Cloudpress has to your account.
To remove our access to your account, click the Remove all access button and complete the confirmation steps.
Mitigating steps
As indicated previously, we do not have access to any documents you do not explicitly give us access to. However, we understand that, in some cases, you may still feel uncomfortable that Cloudpress may have access to your documents on Google Drive. In situations like these, we suggest the following alternatives.
Use the Cloudpress Google Docs Add-on
If your concern is about us using the access token for unauthorized access to your account, we suggest using the Cloudpress Google Docs Add-on rather than the Export Content page. As stated above, when you use the Add-on, we never even have access to the access token in the first place since Google handles it transparently on our behalf. Therefore, we cannot access your account outside of the period that you use the Cloudpress Google Docs Add-on.
Create a dedicated, locked-down account
You can create a separate, dedicated Google account for use by Cloudpress. You can lock that account down by only giving it access to the documents you want to export using Cloudpress. You can do this by either sharing the relevant documents with that account on a per-document basis or storing all the documents in a specific folder on your Google Drive and then sharing that folder with this account.
Use Zapier or Make to create an automation
You may already use Zapier or Make to automate some of your processes and trust them more with access to your Google account than an unknown player like Cloudpress. If either of these already has access to your Google accounts, you may consider creating an automated workflow with Zapier or Make to export your content.
We are working on proper tutorials for these, but in the meantime, you can look at the following blog post.