0

I'm porting our old user management scripts from the Google Provisioning API (which used the python gdata libraries) to the Google Directory API (the python admin-sdk libaries). So far most things have gone fine, however I've run into issues when attempting to do a discovery on what groups a user belongs to (which I need to remove membership from before a user deletion). Even stripping the code down to the barest essentials (replaced e-mails/credentials for public consumption):

#!/usr/bin/python

import httplib2

from apiclient import errors
from apiclient.discovery import build
from oauth2client.client import SignedJwtAssertionCredentials

SERVICE_ACCOUNT_EMAIL = 'XXXXXXXXXXXXXXXXXXXXXX@developer.gserviceaccount.com'

SERVICE_ACCOUNT_PKCS12_FILE_PATH = '/blah/blah/XXXXXXXX-privatekey.p12'

f = file(SERVICE_ACCOUNT_PKCS12_FILE_PATH, 'rb')
key = f.read()
f.close()

credentials = SignedJwtAssertionCredentials(SERVICE_ACCOUNT_EMAIL, key,
 scope='https://www.googleapis.com/auth/admin.directory.user', sub='serviceaccount@our.tld')

service.users()

members = service.members().get(memberKey = 'serviceaccount@our.old', groupKey = 'googlegroup@our.tld').execute()

print members

This returns a 403 permissions error:

Traceback (most recent call last):
  File "group_tests.py", line 39, in <module>
    members = service.members().get(memberKey = 'serviceaccount@our.tld', groupKey = 'googlegroup@our.tld').execute()
  File "/XXX/bin/gapps/lib/python2.6/site-packages/oauth2client/util.py", line 137, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/XXX/bin/gapps/lib/python2.6/site-packages/googleapiclient/http.py", line 729, in execute
    raise HttpError(resp, content, uri=self.uri)
googleapiclient.errors.HttpError: <HttpError 403 when requesting https://www.googleapis.com/admin/directory/v1/groups/googlegroup%40our.tld/members/serviceaccount%40our.tld?alt=json returned "Insufficient Permission">

I don't recognize if the scope is wrong here, and if so what it should be? This service account is already set with permission for the following scopes (in Security>Advanced Security>API>Manage API client access):

https://www.googleapis.com/auth/admin.directory.user
https://www.googleapis.com/auth/admin.directory.group

Or should I be using groups instead of members? Like:

members = service.groups().get(memberKey = 'serviceaccount@our.old', groupKey = 'googlegroup@our.tld').execute()

Any pointers appreciated, I've been goggling around for any help on this for a week now to no avail.

Andrew H.
  • 21
  • 4
  • are you using domain wide delegation? does the account have access to groups? https://developers.google.com/drive/web/delegation – Gerardo Jun 22 '15 at 21:16
  • Yes, the service account (which I removed the name of and used serviceaccount@our.tld in the code snippets above) has full permissions for the scopes and the project. This is the only operation I've run into so far that I'm receiving this 403 error for. Again, I suspect it's because I'm not using the proper function/variables going into the execute(). – Andrew H. Jun 23 '15 at 19:29

1 Answers1

2

Got this working:

First off, the scope in the credentials definition was incorrect. 

admin.directory.user

changed to:

admin.directory.group

Also had the wrong initialization for the "build":

service.users()

changed to:

service.groups()

And the query statement itself was completely wrong, I went back to the reference doc and kept trying different changes until it took:

members = service.groups().list(domain = 'our.tld',userKey = 'user_whos_groups_i_want@our.tld',pageToken=None,maxResults=500).execute()

Hopefully this will be useful to someone else running into the same issue later. Please be aware that not all permission errors google will throw back are literally because of permissions, it may be your own code has conflicting scopes that you're trying to use.

Andrew H.
  • 21
  • 4