Received error "Not Authorized to access this resource/api" when trying to use Google Directory API and Service Account Authentication

Question

I'm really struggling with trying to use Service Account authentication to use the Google Directory API (Admin SDK).

Using client based three legged OAuth this works (tested here - https://developers.google.com/admin-sdk/directory/v1/reference/members/insert) but there's a problem with the permission delegation to the service account I am using. Under the Google Apps administration, I enabled using APIs and added the service account to the list of allowed OAuth clients as instructed.

Here is the code:

import httplib2
import sys

from apiclient.discovery import build
from oauth2client.client import SignedJwtAssertionCredentials

credentials = SignedJwtAssertionCredentials(
    '<KEY>@developer.gserviceaccount.com',
    '<KEY DATA>',
    scope='https://www.googleapis.com/auth/apps.groups.settings https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.group.member'
)
http = httplib2.Http()
http = credentials.authorize(http)

service = build("admin", "directory_v1", http=http)
groups = service.groups()
g = groups.get(groupKey="<GROUP NAME>").execute()

Eventually, I get the following error:

apiclient.errors.HttpError: <HttpError 403 when requesting https://www.googleapis.com/admin/directory/v1/groups/<GROUP NAME>?alt=json returned "Not Authorized to access this resource/api">

I tried using the following API as well:

service = build("groupssettings", "v1", http=http)

But this returns an error as well - "Backend Error".

score 19 · Accepted Answer · answered Sep 09 '13 at 20:54

19

Even though you're using a Service Account you still need to act on behalf of a Google Apps user in the instance that has the proper admin permissions. Try doing:

credentials = SignedJwtAssertionCredentials(
  '<KEY>@developer.gserviceaccount.com',
  '<KEY DATA>',
  scope='https://www.googleapis.com/auth/apps.groups.settings https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.group.member',
  sub='super-admin@yourdomain.com'
)

where super-admin@yourdomain.com is a super administrator in your Google Apps account.

answered Sep 09 '13 at 20:54

Jay Lee

13,415
3
28
59

3

Thanks, it worked! How did you know this solution? I knew this type of solution was the one I was looking for but I couldn't find the relevant docs. – Ron Reiter Sep 10 '13 at 23:18
3

This sub='super-admin@yourdomain.com' make it works ! – Seb P Jan 23 '14 at 07:50
3

This process is now documented at: https://developers.google.com/admin-sdk/directory/v1/guides/delegation – Jay Lee Feb 26 '14 at 03:11
Do we still use 'super-admin@yourdomain.com' as serviceAccountUser?? It seems like only 'admin@yourdomain.com' is legitimate. – Sardonic Jul 06 '16 at 22:45
but what does this mean? Even in 2017 I can't figure this out: I just want to know *my* organizations, why does this require a domain admin email? How does one get this information without that kind of email address? – Mike 'Pomax' Kamermans Jan 14 '17 at 00:16
Using the `google.oauth2.service_account.Credentials` API, this is: `creds = service_account.Credentials.from_service_account_info(service_account_json, scopes=scopes, subject="super-admin@yourdomain.com")` ``` – user85461 Nov 03 '20 at 22:15

Received error "Not Authorized to access this resource/api" when trying to use Google Directory API and Service Account Authentication

1 Answers1

Linked