Login/Register
Received error "Not Authorized to access this resource/api" when trying to use Google Directory API and Service Account Authentication
Asked Answered
Solved pythongoogle-appsgoogle-admin-sdk
L

1

6

I'm really struggling with trying to use Service Account authentication to use the Google Directory API (Admin SDK).

Using client based three legged OAuth this works (tested here - https://developers.google.com/admin-sdk/directory/v1/reference/members/insert) but there's a problem with the permission delegation to the service account I am using. Under the Google Apps administration, I enabled using APIs and added the service account to the list of allowed OAuth clients as instructed.

Here is the code:

import httplib2
import sys

from apiclient.discovery import build
from oauth2client.client import SignedJwtAssertionCredentials

credentials = SignedJwtAssertionCredentials(
    '<KEY>@developer.gserviceaccount.com',
    '<KEY DATA>',
    scope='https://www.googleapis.com/auth/apps.groups.settings https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.group.member'
)
http = httplib2.Http()
http = credentials.authorize(http)

service = build("admin", "directory_v1", http=http)
groups = service.groups()
g = groups.get(groupKey="<GROUP NAME>").execute()

Eventually, I get the following error:

apiclient.errors.HttpError: <HttpError 403 when requesting https://www.googleapis.com/admin/directory/v1/groups/<GROUP NAME>?alt=json returned "Not Authorized to access this resource/api">

I tried using the following API as well:

service = build("groupssettings", "v1", http=http)

But this returns an error as well - "Backend Error".

Lafrance answered 9/9, 2013 at 20:17 Comment(0)
B
19

Even though you're using a Service Account you still need to act on behalf of a Google Apps user in the instance that has the proper admin permissions. Try doing:

credentials = SignedJwtAssertionCredentials(
  '<KEY>@developer.gserviceaccount.com',
  '<KEY DATA>',
  scope='https://www.googleapis.com/auth/apps.groups.settings https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.group.member',
  sub='[email protected]'
)

where [email protected] is a super administrator in your Google Apps account.

Brina answered 9/9, 2013 at 20:54 Comment(6)
Thanks, it worked! How did you know this solution? I knew this type of solution was the one I was looking for but I couldn't find the relevant docs.Lafrance
This sub='[email protected]' make it works !Erythrocytometer
This process is now documented at: developers.google.com/admin-sdk/directory/v1/guides/delegationBrina
Do we still use '[email protected]' as serviceAccountUser?? It seems like only '[email protected]' is legitimate.Americanize
but what does this mean? Even in 2017 I can't figure this out: I just want to know my organizations, why does this require a domain admin email? How does one get this information without that kind of email address?Mallard
Using the google.oauth2.service_account.Credentials API, this is: creds = service_account.Credentials.from_service_account_info(service_account_json, scopes=scopes, subject="[email protected]") ```Grayson

© 2022 - 2024 — McMap. All rights reserved.