2

I'm trying to list users via Google admin directory API.

import logging
import os

from google.appengine.api import memcache
from googleapiclient import discovery
from oauth2client.contrib.appengine import AppAssertionCredentials

import httplib2

from flask import Flask


credentials = AppAssertionCredentials(scope='https://www.googleapis.com/auth/admin.directory.user')
auth_http = credentials.authorize(httplib2.Http(cache=memcache))
service = discovery.build('admin', 'directory_v1', http=auth_http)    

@app.route('/list')
def list():
    results = service.users().list(domain='example.com', maxResults=10, orderBy='email').execute()
    return 'success'

app = Flask(__name__)

I'm running this in App Engine and have enabled domain-wide delegation for App Engine default service account, as instructed in https://developers.google.com/api-client-library/python/auth/service-accounts

This is the error I'm getting: HttpError: https://www.googleapis.com/admin/directory/v1/users?orderBy=email&domain=example.com&alt=json&maxResults=10 returned "Not Authorized to access this resource/api">

kcliu
  • 21
  • 3
  • This is solved by re-performing each step of [Domain-Wide Delegation](https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority) as pointed out by @noogui. If you were able to solve your issue I ask that you provide the answer or select noogui's answer as the solution. If you are still having issues, I ask that you provide further details about your current Domain-Wide Delegation setup. – Jordan Feb 28 '17 at 14:59
  • So you could not use the App Engine default service account? – JMKrimm Sep 23 '19 at 19:59

1 Answers1

2

Follow the steps indicated in Delegating domain-wide authority to the service account:

Then, an administrator of the G Suite domain must complete the following steps:

  1. Go to your G Suite domain’s Admin console.
  2. Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls. If you can't see the controls, make sure you're signed in as an administrator for the domain.
  3. Select Show more and then Advanced settings from the list of options.
  4. Select Manage API client access in the Authentication section.
  5. In the Client Name field enter the service account's Client ID. You can find your service account's client ID in the Service accounts page.
  6. In the One or More API Scopes field enter the list of scopes that your application should be granted access to. For example, if your application needs domain-wide access to the Google Drive API and the Google Calendar API, enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar.
  7. Click Authorize.

Make sure your service account is set to Administrator.

ReyAnthonyRenacia
  • 17,219
  • 5
  • 37
  • 56
  • how do you set a service account to admin? Is it through admin.google.com? If yes, I don't see a way to do that – kcliu Feb 17 '17 at 14:16
  • Try this. Go to your Google Dev console, go to your service account and click Role set it to Owner. – ReyAnthonyRenacia Feb 21 '17 at 10:42
  • Navigated to IAM console and set role to owner, but still getting the 403 error. `HttpError: – kcliu Feb 21 '17 at 10:58
  • Can you try the solution provided in this [SO thread](http://stackoverflow.com/questions/26409201/google-service-directory-403-not-authorized-to-access-this-resource-api). – ReyAnthonyRenacia Feb 21 '17 at 11:05
  • Hi I've tried having App Engine default service account impersonating a domain admin and still getting the same 403 error (see above). `credentials = AppAssertionCredentials(scope='https://www.googleapis.com/auth/admin.directory.user', **sub='admin@example.com'**)` I'd like to use _AppAssertionCredentials_, since I won't need to generate/store a key file if the app already runs on App Engine as stated here - https://developers.google.com/identity/protocols/OAuth2ServiceAccount#authorizingrequests. – kcliu Mar 10 '17 at 03:55