gsuite service account for directory api returns http 400 errors: Bad request/Invalid input

Asked 10/5, 2020 at 19:28 Answered 3/3, 2023 at 13:33

Solved python google-api service-accounts http-error google-directory-api

I have started to develop some apis to create users in my G suite directory. I followed the service account tutorials along with the Directory tutorials for python. The code I have is very simple just to test out how it will work.

from google.oauth2 import service_account
from googleapiclient.discovery import build
SCOPES = ['https://www.googleapis.com/auth/admin.directory.user']
SERVICE_ACCOUNT_FILE = 'file'
creds = service_account.Credentials.from_service_account_file(
    SERVICE_ACCOUNT_FILE, scopes=SCOPES)
service = build('admin', 'directory_v1', credentials=creds)
results = service.users().list(customer='i am not sure what customer is', maxResults=10, orderBy='email').execute() 
#this line produces the error.
#Vscode also states the service has no member users. But I did install all #the libraries
users = results.get('users', [])
print(users)

The documentation to me is unclear about most things. When I run this I get

googleapiclient.errors.HttpError: <HttpError 400 when requesting https://www.googleapis.com/admin/directory/v1/users?customer=students&maxResults=10&orderBy=email&alt=json returned "Bad Request">

When I change customer from my_customer to something else I get Invalid Input. Any suggestions to what may cause this error and preferably how to work with this api via a service account? Now I did enable the directory api and create the service account and downloaded the service account file as well. Am I missing a step? I would also prefer if someone has a better documentation that I was unable to find.

Indicate answered 10/5, 2020 at 19:28 Comment(5)

Hi, @sakib11. I have the same issue using Java, do you have a solution? – Tarmac 16/6, 2020 at 14:41

Okay so the issue is related to the scopes. Recheck your scopes from the Gsuite administration and also make sure that the customer can be 'me'. – Indicate 16/6, 2020 at 15:18

So I revisited this, it is only a scope issue. Just go to your google admin security page and make sure that your delegated service account has the required scope. – Indicate 16/6, 2020 at 15:47

Yes, it was related with the scopes. I also had to impersonate an admin account to make it work. Thanks! – Tarmac 17/6, 2020 at 23:50

great thatit helped. – Indicate 19/6, 2020 at 12:50

Ensure that the service account has domain-wide-delegation enabled and has the proper scopes.

Indicate answered 19/6, 2020 at 12:51 Comment(0)

Finally I resolved this issue by setting another parameter "subject" when calling "service_account.Credentials.from_service_account_file".

Karena answered 4/12, 2020 at 10:17 Comment(3)

For me, I didn't even know that a param like that even existed. – Indicate 4/12, 2020 at 19:18

What was the subject you added? – Lickerish 30/9, 2022 at 8:50

@Lickerish subject equals to the email address of the admin, who will be actor for the action. – Tadzhik 3/3, 2023 at 13:33

Ensure that the service account has domain-wide-delegation enabled and has the proper scopes.

Indicate answered 19/6, 2020 at 12:51 Comment(0)

Yes, it's pretty unclear how to do a basic thing if you want to craft a tiny helper script. JSON for a Service Account is what you get after generating a new key in Google Cloud > IAM & Admin > Service Accounts > Keys. Here's how the full final variant looks:

import json
from google.oauth2 import service_account
from googleapiclient.discovery import build

SCOPES = ['https://www.googleapis.com/auth/admin.directory.user.readonly']
SUBJECT = '[email protected]'
CUSTOMER_ID = 'C91FjKp'

def main():
    credentials = service_account.Credentials.from_service_account_file(
        '/path/to/service-account-key.json', scopes=SCOPES
    )
    credentials = credentials.with_subject(SUBJECT)
    admin = build('admin', 'directory_v1', credentials=credentials)
    results = admin.users().list(
        customer=CUSTOMER_ID,
        query='isSuspended=False',
        maxResults=100,
        orderBy='email',
        viewType='admin_view',
        projection='basic',
        showDeleted=False,
    ).execute()
    print(json.dumps(results, indent=4))

if __name__ == '__main__':
    main()

Tadzhik answered 3/3, 2023 at 13:33 Comment(0)

Recommended topics

Hot tags