1

i want to use admin sdk directory api to create eamil account of users.

i am using google-api-python-client-1.2 library.

in folder /samples/service_account/tasks.py works for me.

but when i chance that file to list users from admin directory api it doesn't works and throws errors.

below is the code i am using.

import httplib2
import pprint
import sys
import inspect

from apiclient.discovery import build
from oauth2client.client import SignedJwtAssertionCredentials
def main(argv):
    f = file('my-privatekey.p12', 'rb')
    key = f.read()
    f.close()

   credentials = SignedJwtAssertionCredentials(
      'my@developer.gserviceaccount.com',
      key,
      scope=['https://www.googleapis.com/auth/admin.directory.user', 'https://www.googleapis.com/auth/admin.directory.user.readonly'])
   http = httplib2.Http()
   http = credentials.authorize(http)

   service = build("admin", "directory_v1", http)
   list_of_apis = service.users().list(domain='mydomain.com').execute(http=http)
   pprint.pprint(list_of_apis)
if __name__ == '__main__':
      main(sys.argv)

when i run the above code i get below errors.

$python tasks.py 
No handlers could be found for logger "oauth2client.util"
Traceback (most recent call last):
  File "tasks.py", line 77, in <module>
    main(sys.argv)
  File "tasks.py", line 66, in main
    list_of_apis = service.users().list(domain='messycoders.com').execute(http=http)
  File "/usr/local/lib/python2.7/dist-packages/oauth2client/util.py", line 132, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/apiclient/http.py", line 723, in execute
    raise HttpError(resp, content, uri=self.uri) apiclient.errors.HttpError: <HttpError 403 when requesting https://www.googleapis.com/admin/directory/v1/users?domain=messycoders.com&alt=json returned "Not Authorized to access this resource/api">
Dipak Yadav
  • 114
  • 17

1 Answers1

3

Try:

   credentials = SignedJwtAssertionCredentials(
      'my@developer.gserviceaccount.com',
      key,
      sub='superadmin@mydomain.com',
      scope=['https://www.googleapis.com/auth/admin.directory.user',])

You don't need both scopes, use readonly if you're doing read operations only, use the above if you're doing read and write.

sub= defines which Google Apps account the service account should impersonate to perform the directory operations, it's necessary and the account needs to have the right permissions.

Lastly, be sure that you've granted the service account's client_id access to the directory scopes you need in the Control Panel. The steps to do this are listed in the Drive documentation, just sub in the correct scope(s) for Admin Directory.

Jay Lee
  • 13,415
  • 3
  • 28
  • 59
  • still not working, same error, i have one confusion will the above script work from my local system as well or should i run from the registered domain ? – Dipak Yadav Dec 20 '13 at 21:56
  • You've confirmed that: 1) The Service Account client_id, as shown in the downloaded client_secret file from the service account's page in the cloud console, has been granted the Admin SDK users scope for the messycoders.com domain? 2) The address you're using for sub= is a super admin in the domain? – Jay Lee Dec 21 '13 at 00:51
  • it started working, don't know how added sub= and private_key_password='notasecret', then generated new key again and started working, Thanks @Jay Lee – Dipak Yadav Dec 21 '13 at 07:11