What is the role which allows to use GCP APIs (such as Drive, Sheets, etc)?

Question

I want to use Drive & Sheets API from Python3. I tried to create a service account in GCP console, but it said You already have credentials that are suitable for this purpose, without telling me what role of GCP makes it suitable.

Now I want to find and add the role to my favorite service account. I do not want to create a new one, nor use the already-suitable ones.

What is the name of the role which allows using Google APIs?

Answer 1

I think this is confusing and poorly explained in Google's documentation but IAM and OAuth scopes are mostly (now) complementary technologies. I consider IAM to refine or provide more granular, account|credential-specific scopes

Scopes came first and IAM came later.

IAM -- actually Cloud IAM -- applies only to Google Cloud Platform (GCP) services.

OAuth scopes exist for all Google's APIs (including those of GCP).

https://developers.google.com/identity/protocols/googlescopes

In your case, Drive and Sheets are part of G Suite and not included in Cloud IAM. There are thus no IAM roles for you to assign to your service account that apply to these services.

For GCP services, it is customary (though seemingly redundant) to use both IAM and scopes.

Often you'll see https://www.googleapis.com/auth/cloud-platform used as something of a catch-all|default scope.

UPDATE: In retrospect, I should add a qualifier to this, OAuth scopes are effectively redundant for service accounts. In the case of a human|user-based OAuth flow where the end-user is delegating authority, the scopes remain relevant as they summarize the permissions for the end-user to review before granting to the code.