2

I want to set the signature for all users on my Google Apps domain to their name and job title. Through my research, I found that the only free way to do this is by using the Gmail API. I managed to get a list of all users on the domain (with the required info, email address that I want to set the signature of, name, job title) simply by using the quick start guide at https://developers.google.com/admin-sdk/directory/v1/quickstart/js.

At the end of the listUsers function I added the loadGmailApi code. Once the api is loaded, it runs a funtion called setSignatures.

function setSignatures() {
    var request = gapi.client.gmail.users.settings.sendAs.update({
        'userId': email,
        'sendAsEmail': email,
        'signature': '<strong style="color: rgb(230, 145, 56); font-family: arial, sans-serif; font-size: large;">' + name + '</strong>'
    });

    request.execute(function(resp) {
        console.log(resp);
    });
}

This works perfectly when the variable "email" is my own, but when it is anyone elses, I get the following error: 403 Delegation denied for 'myemail'. I am a super admin.

I now found out I need to use a service account. I then completely followed this guide How to obtain Google service account access token javascript. The one difference is that to authorise I use 

gapi.auth.authorize({

instead of

gapi.analytics.auth.authorize({

As I don't need the analytics API. I hope that isn't causing problems. I need the directory and gmail API. At the end of the code provided in the above link, I loadDirectoryApi() and run code to get all the user information again, as before. I can't even get to setting the signatures, because at this point, I get an error saying : 401 Login Required.

So if I use my own email to try this, I get a 403, and when I tried a service account, I got a 401. It says login required, how can I log in? I thought service accounts don't actually log in, but I use a JWT to make an access token. I am authorising by

gapi.auth.authorize({
    'serverAuth': {'access_token': token},
    'scope': 'https://www.googleapis.com/auth/admin.directory.user',
    'client_id': 'myClientID'
});

What am I doing wrong? Please help. I need to know how to "log in" or authenticate with a service account so that I can update signatures.

Community
  • 1
  • 1
Akash Saggar
  • 31
  • 5
  • You might want to check all requirements in this [document](https://developers.google.com/admin-sdk/directory/v1/guides/delegation) to verify if you have done all that is needed to be done to perform Google Apps Domain-Wide Delegation of Authority. [Gmail supports domain-wide delegation](http://stackoverflow.com/a/27822720/5995040), as said in the related SO question. – Mr.Rebot Nov 02 '16 at 14:52
  • But be reminded you need to grant that service account access to your work domain and only users with access to the Admin APIs can access the Admin SDK Directory API, therefore your service account needs to impersonate one of those users to access the Admin SDK Directory API. Hope this helps. – Mr.Rebot Nov 02 '16 at 14:53

1 Answers1

0

Even if you are super admin you cant change email signatures of other users by default using gmail api.

First you need to create a service account in google dev console and add domain wide delegation for that account.

After that you go to your google admin and add that service account with required scopes under API control.

Then you need to use those credentials inside of your python script.

Basically what it does is, it allows you to impersonate as other user and change email Signature. You don't need password as the service account has domain wide rights. The below link explains how to do that.

But the link describes it using PHP but still it will help you to create a domain wide delegation service account.

https://moometric.com/integrations/gsuite/use-gmail-api-update-signatures-gsuite-users-php/

Mihir gajjar
  • 21
  • 3