Google Workspace2026-06-28

[Security] Automated Secure B2B File Transfer: Google Drive API & Service Account Implementation Guide


The Hidden Security Risks of File Sharing via Personal Accounts

In B2B business, sharing confidential files such as estimates, NDAs (Non-Disclosure Agreements), and design documents with external partners is a daily occurrence. However, many organizations still rely on the practice of "manually creating folders from individual employees' Google accounts and inviting external members via their email addresses on a case-by-case basis."

This operational method harbors significant governance risks, including:

  1. Failure to Revoke Access: Sharing settings often remain active even after a transaction ends or the person in charge leaves the company, leading to potential data leaks.
  2. Incorrect Permission Settings: Files that should be shared with read-only permissions (Viewer) are mistakenly shared with edit permissions (Editor) or made accessible to anyone with the link.
  3. Lack of Audit Logs: It becomes impossible to track who exported or downloaded which files, resulting in critical non-compliance issues during information security audits such as ISMS (ISO27001).

To resolve these issues, it is essential to implement a scheme that completely automates (Touchless) the creation of folders and the granting/revocation of access permissions in the background. This should be done using a Google Cloud Service Account (a dedicated ID for programs) rather than personal accounts.


2. Before & After: Resolving Operational Bottlenecks

Item Manual Folder Sharing (Before) Service Account + API Management (After)
Creating Shares Manual operation via the "Share" button (prone to human error) Appropriate access levels are granted instantly by the program
Access Expiry Frequently forgotten and left exposed externally Permissions are automatically revoked after a specified period (e.g., project end date)
Ownership Files remain in the personal drives of former employees Managed by the company's organizational account (Shared Drive), eliminating the need for recovery
Audit Trails Untraceable file sharing history Full auditability of "When, Who, and with What Permissions" via API logs

3. Implementation Example: Automated Creation and Invitation for Time-Limited Shared Folders

Below is an implementation example using Google APIs (TypeScript) to automatically generate a folder with "Viewer" permissions for a specific partner's email address using a service account.

import { google } from "googleapis";

// Setting up authentication using a service account
const SCOPES = ["https://www.googleapis.com/auth/drive"];
const auth = new google.auth.GoogleAuth({
  credentials: {
    client_email: process.env.GOOGLE_CLIENT_EMAIL,
    private_key: process.env.GOOGLE_PRIVATE_KEY?.replace(/\\n/g, "\n"),
  },
  scopes: SCOPES,
});

const drive = google.drive({ version: "v3", auth });

export async function createSecurePartnerFolder(partnerEmail: string, projectName: string) {
  try {
    // 1. Create a new folder under a shared drive or specified parent folder
    const fileMetadata = {
      name: `[HadayaLab Shared] ${projectName}`,
      mimeType: "application/vnd.google-apps.folder",
      parents: [process.env.SHARED_ROOT_FOLDER_ID!],
    };

    const folderResponse = await drive.files.create({
      requestBody: fileMetadata,
      fields: "id, webViewLink",
    });

    const folderId = folderResponse.data.id!;
    console.log(`Folder created: ${folderId}`);

    // 2. Grant "Reader" access to the partner's email address
    await drive.permissions.create({
      fileId: folderId,
      requestBody: {
        role: "reader",
        type: "user",
        emailAddress: partnerEmail,
      },
      fields: "id",
    });

    console.log(`Permission granted to: ${partnerEmail}`);
    return {
      folderId,
      link: folderResponse.data.webViewLink,
    };
  } catch (error) {
    console.error("Secure B2B file transfer failed:", error);
    throw error;
  }
}

4. HadayaLab's Secure B2B Data Integration Package

At HadayaLab, we assist in building automated file integration systems with external partners while maintaining compliance with international security standards such as ISMS/ISO27001 and SOC2.

  • Automated Folder & Access Control: Automatically generate Google Drive folders and revoke permissions based on changes in transaction status (e.g., contract execution, termination).
  • Malware & Integrity Verification for Uploaded Files: AI automatically detects files uploaded to shared folders and determines if there is any data corruption.
  • Tamper-Proof File Submission Pipeline: Back up submission records as read-only audit data that cannot be modified.

If your organization is experiencing the limits of manual permission management due to frequent file exchanges with external partners, or if you need a secure data sharing infrastructure capable of passing stringent security audits, please consult HadayaLab for secure file integration design.

Get Your Free Workflow Audit