Google Cloud Project Setup & Enable Google Drive API

Overview

This tutorial covers how to set up a Google Cloud project to upload files from a local Node.js script to Google Drive using OAuth 2.0. This is the recommended approach when:

You are uploading to personal Google Drive folders (not Shared Drives)
Your Google Cloud organization blocks service account key creation
You want to authenticate as yourself rather than a service account

Why OAuth 2.0 instead of Service Accounts?

Service accounts cannot upload to personal Drive folders because they have no storage quota. Even if you share a folder with a service account, uploading will fail with:

Service Accounts do not have storage quota. Leverage shared drives, or use OAuth delegation instead.

OAuth 2.0 authenticates as your real Google account, which owns the Drive folders and has quota.

Step 1: Create a Google Cloud Project

Go to Google Cloud Console
Click the project dropdown in the top navigation bar
Click New Project
Enter a project name (e.g., my-drive-upload)
Make sure the correct Organization is selected (if applicable)
Click Create
Select the new project from the dropdown

Step 2: Enable the Google Drive API

Go to Drive API Library
Make sure your new project is selected in the top dropdown
Click Enable

Before creating OAuth credentials, you must configure the consent screen:

Go to OAuth Consent Screen
Choose the user type:
- Internal — if you are within a Google Workspace organization (recommended)
- External — if you don't have a Workspace org
Click Create
Fill in the required fields:
- App name: e.g., drive-uploader
- User support email: your email
- Developer contact email: your email
Click Save and Continue through the remaining steps (Scopes, Test Users) — no changes needed
Click Back to Dashboard

Step 4: Create OAuth Client ID (Desktop App)

Go to Credentials
Click + Create Credentials → OAuth client ID
Application type: Desktop app
Name: e.g., drive-uploader
Click Create
Click Download JSON — a file named client_secret_*.json downloads
Save this file in your project as credentials/gdrive-oauth.json

mv ~/Downloads/client_secret_*.json your-project/credentials/gdrive-oauth.json

Important: Add credentials/ to your .gitignore — never commit this file.

Troubleshooting: Organization Policy Blocks Service Account Keys

If you initially tried the service account approach and saw this error:

Service account key creation is disabled — An Organization Policy that blocks service accounts key creation has been enforced on your organization.

Here is how to resolve it (as an organization admin):

Disable the Organization Policy

Go to Organization Policies:
```
https://console.cloud.google.com/iam-admin/orgpolicies/iam.disableServiceAccountKeyCreation?organizationId=YOUR_ORG_ID
```
Replace YOUR_ORG_ID with your organization ID (visible in the URL bar when viewing org settings).
Click Manage Policy
If you see a permissions error asking for the Organization Policy Administrator role:
- Go to IAM at the organization level
- Find your account and click the Edit (pencil) icon
- Click + Add Another Role
- Search for Organization Policy Administrator and add it
- Click Save
- Go back to the Organization Policies page
Click Manage Policy again
Under Policy source, select Override parent's policy
Under Rules, if there is an existing rule set to Enforced:
- Click the trash icon to delete it
Click Add a rule → set Enforcement to Off → click Done
Click Set policy
The status should now show Not enforced

After downloading your service account key, you can re-enforce this policy — existing keys will continue to work.

Note: Even after enabling service account keys, they still won't work for uploading to personal Drive folders due to the storage quota limitation. The OAuth 2.0 approach described in this tutorial is the correct solution.

What's Next

In the next lesson, we'll create the OAuth authorization script that opens your browser, lets you log in, and saves a refresh token for unattended uploads.