0

Looks like I have followed every step (given that the documentation is extremely lacking, it is sourced from multiple places). This is my code:

def create_user(cred_file_location, user_first_name, user_last_name, user_email):
    cred_data = json.loads(open(cred_file_location).read())
    access_email = cred_data['client_email']
    private_key = cred_data['private_key']

    # I have tried with the scope as a single string, and also
    # as an array of a single string. Neither worked
    credentials = SignedJwtAssertionCredentials(access_email, private_key, ["https://www.googleapis.com/auth/admin.directory.user"])

    http = Http()
    http = credentials.authorize(http)

    service = build('admin', 'directory_v1', http=http)
    users = service.users()

    userinfo = {
        'primaryEmail': user_email,
        'name': {
            'givenName': user_first_name,
            'familyName': user_last_name
        },
        'password': ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(80))
}

users.insert(body=userinfo).execute()

I downloaded the JSON key right, and it is loading it correctly. This is my JSON key (I am redacting certain parts of identifying information, I have kept some of it there to show that I am loading the correct info):

{
  "type": "service_account",
  "private_key_id": "c6ae56a9cb267fe<<redacted>>",
  "private_key": "<<redacted>>",
  "client_email": "account-1@<<redacted>>.iam.gserviceaccount.com",
  "client_id": "10931536<<redacted>>",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/account-1%40<<redacted>>.iam.gserviceaccount.com"
}

This is how these credentials look in the developer console:

google developer console screenshot

I have also enabled sitewide access for the service account:

google admin sitewide api access

I have no clue as to why I am still getting these 403s:

File "/usr/lib/python2.7/site-packages/googleapiclient/http.py", line 729, in execute
    raise HttpError(resp, content, uri=self.uri)
googleapiclient.errors.HttpError: <HttpError 403 when requesting https://www.googleapis.com/admin/directory/v1/users?alt=json returned "Not Authorized to access this resource/api">

Any help is greatly appreciated.

Rohan Prabhu
  • 7,180
  • 5
  • 37
  • 71

1 Answers1

1

Finally, on some random stackoverflow answer, I found the solutin. I have to sub as a user to execute any request. Esentially:

credentials = SignedJwtAssertionCredentials(
    access_email,
    private_key,
    ["https://www.googleapis.com/auth/admin.directory.user"])

changes to:

credentials = SignedJwtAssertionCredentials(
    access_email,
    private_key,
    ["https://www.googleapis.com/auth/admin.directory.user"],
    sub="user@example.org")

Where all requests will now be made as if they were made on behalf of user@example.org.

Rohan Prabhu
  • 7,180
  • 5
  • 37
  • 71