[Security] Automated Secure B2B File Transfer: Google Drive API & Service Account Implementation Guide
The Hidden Security Risks of File Sharing via Personal Accounts
In B2B business, sharing confidential files such as estimates, NDAs (Non-Disclosure Agreements), and design documents with external partners is a daily occurrence. However, many organizations still rely on the practice of "manually creating folders from individual employees' Google accounts and inviting external members via their email addresses on a case-by-case basis."
This operational method harbors significant governance risks, including:
- Failure to Revoke Access: Sharing settings often remain active even after a transaction ends or the person in charge leaves the company, leading to potential data leaks.
- Incorrect Permission Settings: Files that should be shared with read-only permissions (Viewer) are mistakenly shared with edit permissions (Editor) or made accessible to anyone with the link.
- Lack of Audit Logs: It becomes impossible to track who exported or downloaded which files, resulting in critical non-compliance issues during information security audits such as ISMS (ISO27001).
To resolve these issues, it is essential to implement a scheme that completely automates (Touchless) the creation of folders and the granting/revocation of access permissions in the background. This should be done using a Google Cloud Service Account (a dedicated ID for programs) rather than personal accounts.
2. Before & After: Resolving Operational Bottlenecks
| Item | Manual Folder Sharing (Before) | Service Account + API Management (After) |
|---|---|---|
| Creating Shares | Manual operation via the "Share" button (prone to human error) | Appropriate access levels are granted instantly by the program |
| Access Expiry | Frequently forgotten and left exposed externally | Permissions are automatically revoked after a specified period (e.g., project end date) |
| Ownership | Files remain in the personal drives of former employees | Managed by the company's organizational account (Shared Drive), eliminating the need for recovery |
| Audit Trails | Untraceable file sharing history | Full auditability of "When, Who, and with What Permissions" via API logs |
3. Implementation Example: Automated Creation and Invitation for Time-Limited Shared Folders
Below is an implementation example using Google APIs (TypeScript) to automatically generate a folder with "Viewer" permissions for a specific partner's email address using a service account.
import { google } from "googleapis";
// Setting up authentication using a service account
const SCOPES = ["https://www.googleapis.com/auth/drive"];
const auth = new google.auth.GoogleAuth({
credentials: {
client_email: process.env.GOOGLE_CLIENT_EMAIL,
private_key: process.env.GOOGLE_PRIVATE_KEY?.replace(/\\n/g, "\n"),
},
scopes: SCOPES,
});
const drive = google.drive({ version: "v3", auth });
export async function createSecurePartnerFolder(partnerEmail: string, projectName: string) {
try {
// 1. Create a new folder under a shared drive or specified parent folder
const fileMetadata = {
name: `[HadayaLab Shared] ${projectName}`,
mimeType: "application/vnd.google-apps.folder",
parents: [process.env.SHARED_ROOT_FOLDER_ID!],
};
const folderResponse = await drive.files.create({
requestBody: fileMetadata,
fields: "id, webViewLink",
});
const folderId = folderResponse.data.id!;
console.log(`Folder created: ${folderId}`);
// 2. Grant "Reader" access to the partner's email address
await drive.permissions.create({
fileId: folderId,
requestBody: {
role: "reader",
type: "user",
emailAddress: partnerEmail,
},
fields: "id",
});
console.log(`Permission granted to: ${partnerEmail}`);
return {
folderId,
link: folderResponse.data.webViewLink,
};
} catch (error) {
console.error("Secure B2B file transfer failed:", error);
throw error;
}
}
4. HadayaLab's Secure B2B Data Integration Package
At HadayaLab, we assist in building automated file integration systems with external partners while maintaining compliance with international security standards such as ISMS/ISO27001 and SOC2.
- Automated Folder & Access Control: Automatically generate Google Drive folders and revoke permissions based on changes in transaction status (e.g., contract execution, termination).
- Malware & Integrity Verification for Uploaded Files: AI automatically detects files uploaded to shared folders and determines if there is any data corruption.
- Tamper-Proof File Submission Pipeline: Back up submission records as read-only audit data that cannot be modified.
If your organization is experiencing the limits of manual permission management due to frequent file exchanges with external partners, or if you need a secure data sharing infrastructure capable of passing stringent security audits, please consult HadayaLab for secure file integration design.