Login/Register
Google Admin SDK - Service account can't access resource
Asked Answered
Solved restgoogle-admin-sdkgoogle-oauthservice-accounts
U

3

3

I've created Service Account client via console.developers.google.com. Generated keys, .p12 cert, enabled DwD, and so ... Then I've continued as describer in Admin API references. (HTTP/REST version). That included asingning scopes to these clients id at Google Admin -> Security -> Advancet Settings. Current admin security config state After I succesfully exchanged code for access token and made request for list of users under my domain i got this response.

{   
  "error": {
    "errors": [
      {
        "domain": "global",
        "reason": "forbidden",
        "message": "Not Authorized to access this resource/api"
      }
    ],
    "code": 403,
    "message": "Not Authorized to access this resource/api" 
  } 
}

Request is GET, Authorization Bearer ya29.ElrxA8F[rest of acctoken] and the google dev console dashboard shows chart with error request at Admin SDK

Unite answered 13/2, 2017 at 12:20 Comment(0)
U
4

You must impersonificate your client as designated user

so I missed: "sub" parameter in json auth payload: This is correct json object (of cource with your ids, etc), that you need to use to access your Admin SDK from Service Account:

{
"iss":"761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5@developer.gserviceaccount.com", "sub":"[email protected]",
"scope":"googleapis.com/auth/prediction",
"aud":"googleapis.com/oauth2/v4/token",
"exp":1328554385, "iat":1328550785 }

Take a look at google admin sdk reference for more details. (Part with "sub" parameter)

Unite answered 15/2, 2017 at 7:0 Comment(0)
S
0

You may refer with this answer which states that only super admins, delegated admins and resellers can access the Admin SDK Directory API. Try to delegate an admin that only has access to update users via the API and then having your web application utilize an OAuth token created for this delegated admin. This might also because of misconfiguration on Google App "Add the Client ID with scopes on the Google Apps console.". You may check on this.

Sennar answered 14/2, 2017 at 8:43 Comment(0)
C
0

For future people who also have this problem. Please reset your tokens too... I spent a day not understanding why I had this error in my Google Script with my service account, even though I had validated all the permissions. Finally, the reason was the script's cache was using an old token that had been generated with missing permissions.

Clea answered 7/11, 2021 at 6:10 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.