4

I'm trying to access the new Android Management API for our organization but I run into problems accessing the API. Everything runs fine when accessing the API through the API explorer. To run this on our server, I have created a new project in the Google cloud console and created a service account there. I downloaded the key and use this for local testing on my machine. However, upon the first signupUrl call, I get a 403 error, stating: "Caller is not authorized to manage project.". The service account I'm using has the "Project Owner" role, I don't see how I can give it even more privileges...

The code I'm using:

def initial_enterprise_user(request):
    enterprise_token = request.GET.get('enterpriseToken')
    usr = request.user

    scopes = ['https://www.googleapis.com/auth/androidmanagement']

    credentials = ServiceAccountCredentials.from_json_keyfile_name(settings.SERVICE_ACCOUNT, scopes=scopes)

    if enterprise_token is None:
        androidmanagement = build('androidmanagement', 'v1', credentials=credentials)
        resp = androidmanagement.signupUrls().create(projectId=settings.ANDROID_MGMT_PROJECTID).execute()
        if resp.status_code == 200:
            usr.signup_url_name = resp.json()['name']
            usr.save()
            return render(request, 'initial_login.html', {'response_url': resp.json()['url']})
        else:
            return HttpResponse('Failed to get signup url')
    else:
        # handle token present
Andrii Omelchenko
  • 13,183
  • 12
  • 43
  • 79
stamppot
  • 325
  • 1
  • 4
  • 11
  • Is the project of the service account the same as the project you are trying to access (settings.ANDROID_MGMT_PROJECTID)? – Fred Dec 19 '17 at 13:57
  • Yes it is. I was using another project that was used in another device management POC before and also tried creating a completely new project. I added the Android Management API to this project, but it does not seem to work... – stamppot Dec 19 '17 at 14:39
  • I tried to reproduce but couldn't. When I create a service account with role "Owner" or "Editor" it works fine calling the signupUrls.create method with the project used to create the service account. Maybe check in the IAM config that the service accounts have the right roles for the right project (https://console.cloud.google.com/iam-admin/iam/)? – Fred Dec 19 '17 at 22:55
  • I've checked the service account in the IAM console and added the Owner role. No dice... Just to be sure: you are doing this as a Google Cloud project, right? – stamppot Dec 20 '17 at 09:19

1 Answers1

5

I created a new project in the system, creating the service account before enabling the Android management API. The service account was created with the "Owner" role selected. This seems to have enabled the right sequence in the app, as it is now working. Previously, I had added the API to the project and then created my service accounts, linking it to the API afterward

stamppot
  • 325
  • 1
  • 4
  • 11
  • Thank you for sharing your solution! Maybe the issue has to do with how permissions are listed within a role, the Owner role is just a set of permissions and one of these permissions allows managing devices. But anyway, glad to hear you have found a solution. – Fred Dec 20 '17 at 12:23