Directory API: Not Authorized to access this resource/api #1884
Comments
bcoe
added
the
type: question
|
@nicholasc I believe the scope for list might be: can you give this a shot? |
|
It did not work. The url used by the library is Based on the API Reference the scope for that url is |
|
I too face the same problem when trying to manage the G Suite users using service account credential, but hitting the same problem
|
bcoe
added
type: bug
|
@nicholasc I work on the GCP client libraries team, which is a few steps away from the Gmail API. I've added the It might also be worth following the directions here to get help with the gmail API, just in case someone on stack overflow knows an immediate solution to your problem. |
|
Hello @bcoe . I appreciate that this will be looked into as I am still facing this issue. I've temporarily resorted to a manual list of our users but I don't see this as a viable solution long term. Thank you for referring me to the Gmail API help section. However, this is not related to the Gmail API, which I have been able to use with a service account, but with the Directory API within the Admin SDK. I went here and looked for similar issue on stack overflow but haven't been able to find much of anything. Again, thank you. |
|
Found relevant issue on the Admin SDK Bug issue tracker: No real solution at the moment. |
|
@nicholasc, thanks for pointing out the issue tracker. The solution there was to use a legit admin user's account which is not a viable solution. This is also occurring in the java API at the moment. @bcoe Is there any other possible way to determine which groups a user belong to using service account authentication? |
|
Seeing the same issue. Have Domain Wide Delegation enabled and added the scopes for the client in Admin. |
|
I have the same issue, I gave my service accounts all the authorization in GSuite Admin and gave him the right scopes with domain wide delegation and I'm facing the same error. FYI, I use a server to server oauth scheme (JWT). |
Thanks a lot. This scope fixed my problem. |
|
@SqiSch could you share a brief snippet of code, demonstrating the approach you're taking. I wonder why this scope did not solve @nicholasc's issue for them. |
|
Didn't solve mine either. I've given up and am using something else. Requiring human interaction via OAuth to access google groups (or not publishing what is needed) is silly. Last thing I need to do is grant full admin rights to Mechanical Turk and pay someone to be an API. |
|
The same issue. Didn't solve mine either. const { google } = require('googleapis');
const key = require('./sa.json');
const ADMIN_API = google.admin('directory_v1');
const SCOPES = [
'https://www.googleapis.com/auth/admin.directory.user',
'https://www.googleapis.com/auth/admin.directory.user.security',
];
const auth = new google.auth.JWT(
key.client_email,
null,
key.private_key,
SCOPES,
);
ADMIN_API.users
.insert({
auth,
resource: {
name: {
familyName: 'John',
givenName: 'Doe',
},
password: '1qaZXsw2',
changePasswordAtNextLogin: true,
primaryEmail: 'testuser@example.com',
},
})
.then((data) => {
console.log(data);
})
.catch((error) => {
console.log(error);
});Versions:
|
|
I'm running into the same issue When using the scopes of: AND with It's also failing from https://developers.google.com/admin-sdk/directory/v1/reference/groups/list in the API trial sidebar |
|
The issue appears to be that the user is not an admin, and thus cannot access the admin sdk: On second thought, this does not make sense to me. If I was able to create an access token with the given scopes this should be all I need to look at my groups at least. |
|
I had the same problem. EDIT: Forgot to mention, it solved the problem |
|
Is there already a solution for this? I am facing the same problem with indeed a Service account with a Domain-wide Delegation |
Yes @sanderisbestok you may refer this https://stackoverflow.com/questions/56636523/instantiate-an-admin-sdk-directory-service-object-with-nodejs. Thing here is, need also to pass 'subject'. |
|
Hey guys, I solved my issue by bypassing the google api nodejs client, using my following code: const jwt = require('jsonwebtoken');
const keys = require('./jwt.keys.json');
const fetch = require("node-fetch");
const createJwt = (projectId, algorithm) => {
// Create a JWT to authenticate this device. The device will be disconnected
// after the token expires, and will have to reconnect with a new token. The
// audience field should always be set to the GCP project id.
const token = {
iss: keys.client_email,
scope: "your scopes",
iat: parseInt(Date.now() / 1000),
exp: parseInt(Date.now() / 1000) + 60 * 60, // 20 minutes
aud:"https://oauth2.googleapis.com/token",
sub: "account for DWD" // here you need to put the account used for domain delegation
};
const privateKey = keys.private_key; // load the private key of your SA
return jwt.sign(token, privateKey, {algorithm: algorithm});
};
function getOauthBearer(token, callback){
// this method will return the oauth bearer so you can use it when calling Admin API
let options = {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
body: "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=" + token
}
const BASE_URL = 'https://oauth2.googleapis.com/token'
fetch(BASE_URL, options)
.then(response => response.json())
.then(json=> {
callback(json.access_token);
})
.catch(err => console.error(err))
}
export function yourFunction(param1, ... , callback) {
let token = createJwt(keys.project_id, 'RS256');
getOauthBearer(token, body => {
const url = "your Google directory API URL"
const headers = {
method: 'GET',
headers:{
'Authorization': 'Bearer ' + body
}
};
fetch(url, headers)
.then(response => response.json())
.then(json=> {
callback(json);
})
.catch((error) => console.error(error))
});
}There you go, tell me if it worked for you ! |
|
@tchimih How is that bypassing the directory api? It seems like its still calling the same api? I think what we're seeing is that it depends on what "account for DWD" you are using. You need to make the call with the correct account to be able to get results. |
|
@justinmchase sorry for my mistake. I meant by bypassing the google nodejs client. I think you need to specify when the service account is created the dwd account used. That's what I did and it worked for me. I used to have the same error. |
|
I'm having a similar issue. Could someone clarify. Does the account that creates the Service account need to be an Admin on the Domain? For example:
const auth = new google.auth.GoogleAuth({
keyFile: process.env.GOOGLE_APPLICATION_CREDENTIALS,
scopes: ['https://www.googleapis.com/auth/admin.directory.user'],
});
However when I then try to call the API via the node client I get the 403 error. Does my service account need to be created by a Google Admin? |
Try this... #1884 (comment) |
|
I am also experiencing this problem using the Python client libraries. I am using the following code to try to suspend an account but am getting the same error that everyone here is reporting. from google.oauth2 import service_account
from googleapiclient import discovery
SCOPES = [
'https://www.googleapis.com/auth/admin.directory.user',
'https://www.googleapis.com/auth/admin.directory.user.security',
]
service_account_json_key = {
"type": "service_account",
"project_id": "[REDACTED]",
"private_key_id": "[REDACTED]",
"private_key": "[REDACTED]",
"client_email": "[REDACTED]",
"client_id": "[REDACTED]",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "[REDACTED]"
}
credentials = service_account.Credentials.from_service_account_info(
service_account_json_key,
scopes=SCOPES,
)
service = discovery.build('admin', 'directory_v1', credentials=credentials)
resp = service.users().patch(
userKey='user@company.com',
body={
'suspended': True,
},
).execute()
print(dir(resp))As you can see, I have tried adding the scope described earlier. I have also enabled domain-wide delegation. |
|
Try: |
|
Thank you for the suggestion @gustavopergola. I've tried adding a subject containing both my own GSuite user email address (which is not an admin) as well as that of an admin who has access to the service account I am using. In both cases I receive the following error:
I should also note that, after the two lines you listed above, printing both I've also taken note of the fact that domain-wide delegation has been disabled and I am unable to re-enable it. |
|
It turns out that my assumption was correct unless a maintainer could clarify otherwise. The only users able to access the Admin SDK must be an Admin / Superuser of the Domain or a registered Google Reseller. As others have mentioned, you also need to provide the subject for JWT which must be the email of the admin who created the Service Account. I was able to connect with the following example: const auth = new google.auth.JWT({
keyFile: KEYFILE_GENERATED_BY_ADMIN,
scopes: ['https://www.googleapis.com/auth/admin.directory.user.readonly'],
subject: ADMIN_EMAIL,
});But not able to connect with the following example: const auth = new google.auth.JWT({
keyFile: KEYFILE_GENERATED_BY_THIRD_PARTY,
scopes: ['https://www.googleapis.com/auth/admin.directory.user.readonly'],
subject: THIRD_PARTY_EMAIL,
});I don't know if others are trying to connect as effectively a third party developer and running into this issue. The docs could be a lot more explicit if this the expected behaviour? Hope it helps others. |
|
@mathewtrivett's suggestion actually worked perfectly on my side. |
|
For those who want to use the See issue #1699 .
|
The note at the bottom of this section of the documentation seems to confirm this. |
|
Hello. I am also having the same issue. I am trying to gather a list of users from gsuite to google sheets but when trying to gather the list of users, i get the following error: GoogleJsonResponseException: API call to directory.groups.list failed with error: Not Authorized to access this resource/api (line 28, file "1_listAllGroupMembers") I have checked with the admin of gsuite and he did add me as an admin but on admin.google.com I can see the users but cannot add new ones for example, could it be that I am not admin in reality? Appreciate your help with this :) |
@gustavopergola - this did it for me. |
It doesn't seem to work either even adding the non-admin user to a role with the Admin API access privileges |
|
I flailed at this for a couple days, and have a somewhat workable solution. I created a service account with domain-wide delegation and Organization Admin/Service Usage Admin/Role Admin/Owner roles. The roles where a complete shot in the dark because nothing seemed to work. With the .NET SDK and ApplicationDefaultCredentials I could set an IAM policy, and create a project, but not create a group. I'm not totally ready to give up, but I have settled so far on the following This does work, confirmed in GCP console and in the Admin console. However, if I do something like |
this is worked for me. whenever i get this error. i add the "sub" field indicating the email address of admin in gsuite |
|
I also struggled to get past the 403 errors using googleapis library no matter what I also wanted to avoid using the user-tied OAuth approach, and instead opted in to work with a service account. TLDR: It worked when I switched to google-auth-library, which is a dependency included in the googleapis. My naive assumption is that the added abstraction layer was the issue. Here are steps I've taken to make it work:
For more, follow the Perform Google Workspace Domain-Wide Delegation of Authority
|
|
@elishaterada it really is the same dependency, with 0 layers of abstraction in between. |
|
What did the trick for me is that I had to impersonate a different user: |
|
I ran into this issue as well. In my case, I was trying to use this api in a script, when a sheet is updated. What I ended up having to do to resolve the issue is make sure the trigger is one that's created by an admin. In my case, I had created the trigger some time ago and downgraded the account I used at the time. The way I resolved is by deleting the trigger I created previously and creating a new trigger. This prompted me to select an account to authenticate the trigger. Selecting an account with current admin privileges solved my issue. |
For me it worked like this: const auth = new google.auth.JWT({
keyFile: KEYFILE_GENERATED_BY_THIRD_PARTY,
scopes: ['https://www.googleapis.com/auth/admin.directory.user.readonly'],
subject: ADMIN_EMAIL,
});I am not an admin, but had created the key file. Afterwards the admin activated Domain Wide Delegation and I used that admin email address for |
It worked for me. But what is really happening here? Can you please explain? Is this impersonating an admin account? |
|
What worked for me was including the |
|
I am still having this issue? Is there a solution for this? It keeps throwing 403 and am generating these calls from an application |
|
I am still having this issue. I have not had success with ruby, python, or postman. I have successfully generated tokens with postman ONLY. I am currently dealing with All I need to do is return a list of devices from the directory api and it is one of the hardest things I have ever tried to do as a developer and that is crazy! I am really fighting burnout on this one and any advice would be greatly appreciated. |
|
@FULLBL00M I don't know about nodejs, but for me in python, here's what I just did to get it working:
|
|
In my case, I solved by giving the |
|
Solved my issue of getting authenticated using a service account with domain-wide delegation in python by adding Full code: |
|
If you are coming from Google, this solution is the one: #1884 (comment) |
|
Just enhancing this reply . this solved my problem. |
|
I know this is a Node topic, but the same thing goes for the PHP library. |
and others
I created a project in the Google Cloud Platform and went ahead and activated the Admin SDK & Gmail APIs. I then created a domain-wide service account in the project, downloaded the JSON key file and gave it authorization to the following scopes in the Admin Console:
Using the JSON file, I can create a JWT auth object and access the Gmail API just fine. However, I keep getting
403: Not Authorized to access this resource/apiwhen attempting to use any resource on the Directory API.In the API & Services Dashboard on the Google Cloud Platform, I can see the requests coming in and being denied but I can't think of any reason why this would not work properly.
Here is the code I am using (of course using a different domain than mydomain.com):
Environment details
google-auth-libraryversion: 5.2.0Steps to reproduce
Too many steps based on the description of the issue.
The text was updated successfully, but these errors were encountered: