Programmatically managing groups & users in GSuite via the API

Question

I have a script that leverages the gcloud tool to create service accounts for a project.

I'd like to be able to create GSuite groups and add the service accounts to them within the same script as creating the service accounts, so I don't have to do it manually in the web UI.

Preferably, I would like as much of this to be done via the CLI as possible, including the initial setup of service accounts and GSuite authentication etc.

There is a lot of conflicting information when it comes to authenticating between gcloud and gsuite and how to automate GSuite tasks using gcloud service accounts.

What is the process to:

• Get the required authentication information to submit requests to the GSuite API
• Give permissions/scopes to whatever is required to the obtain the above
• Actually use that auth to create a group/add a user to a group/etc.

I would prefer to do any API requests either using a CLI tool (such as gcloud) or CURL. If a client SDK is required, I would prefer the NodeJS one.

Update

To clarify what I've tested so far, after wading through tons of out of date documentation on Google's developer portal, I:

• Enabled the "Admin SDK API" for my project in GCloud (Google regularly references the 'Directory' API, which isn't something that can be enabled in the GCloud APIs, so I assume they're referring to the Directory API within the Admin SDK API)
• Created a service account and gave it owner role for the project
• Enable domain-wide delegation on the service account to get its Client ID
• In the Google Admin (GSuite) console, I gave the service account client ID the scope https://www.googleapis.com/auth/admin.directory.group in both "Security -> Manage API client access" and "Security -> API Controls -> Domain-wide Delegation"
• Used the oauth2l tool with curl to generate a bearer token with the scope admin.directory.group
• Attempted to use that bearer token to create a group using the following command: curl --request POST 'https://www.googleapis.com/admin/directory/v1/groups' --header "$(oauth2l header --json /home/<file containing the secret for the service account> --scope admin.directory.group)" --header 'Accept: application/json' --header 'Content-Type: application/json' --data '{"email":"test@my-gsuite-domain.com"}' --compressed
• Gsuite returned a nice handy 403 Not Authorized to access this resource/api.

Over all of the Google documentation they advise you to try these things out using the API Explorer, which doesn't exist anymore.

In the directory API pre-reqs page it describes setting up the API for the Admin console - The options described there also do not exist.

Answer 1

TL:DR: You need to work with Directory API from G SUITE SDK

Get the required authentication information to submit requests to the GSuite API

On Directory API: Prerequisites page we can read the steps you need to follow to Set up your API:

1 Enable the API access from the Admin console in order to make requests to the Directory API. To enable the API, log in to your admin account and select Security. If you do not see Security listed, select More controls and then Security from the options shown in the gray box. Select API reference, and then select the checkbox to Enable API access. Save your changes.

2 Set up a new project in the Google APIs Console and activate Admin SDK service for this project

Give permissions/scopes to whatever is required to the obtain the above

On Directory API: Authorize Requests you can read more about the process for Authorizing requests with OAuth 2.0 and the scopes you need. Since you want to manage only groups, you need to add the scope for "Scopes for groups, group aliases, and group members". The scope you need to add is:

Scope: https://www.googleapis.com/auth/admin.directory.group

Meaning: Global scope for access to all group operations, including group aliases and members.

Actually use that auth to create a group/add a user to a group/etc.

Since you will interact with the API using BASH, you will need to perform queries to the API using CURL. So all the examples I will post are using CURL.

On Directory API: Groups you can read the operations you can perform and how to perform such operations.

So, for example, if you want to create a group to need to perform a POST operation to "https://www.googleapis.com/admin/directory/v1/groups" with a payload of a JSON with the next format:

{
   "email": "sales_group@example.com",
   "name": "Sales Group",
   "description": "This is the Sales group."
}

So the CURL command will look like this:

curl --request POST \
     --header "Content-Type: application/json" \
     --header "Authorization: Bearer <ACCESS TOKEN>" \
     --data '{"email":"sales_group@example.com","name":"Sales Group","description":"This is the Sales group."}' \     https://www.googleapis.com/admin/directory/v1/groups

A successful response returns an HTTP 201 status code. Along with the status code, the response returns the properties for the new group.

If you have problems getting your TOKEN you can read more in some post about how to get OAUTH 2.0 Tokens:

https://stackoverflow.com/questions/28593022/list-google-drive-files-with-curl https://stackoverflow.com/questions/44063975/get-access-token-of-google-api https://developers.google.com/google-ads/api/docs/concepts/curl-example https://www.jhanley.com/google-oauth-2-0-testing-with-curl/

Answer 2

I had the exact same issue as OP, docs are terrible. Solved by granting "Groups Admin" role to my ServiceAccount on the Google Workspace Admin interface: Admin roles > Groups Admin > Service Account