I am using the Google Admin SDK Reports V1 Api to gather all admin activities from the Google Apps admin panel.
My Google Api python client was recently updated to version "google-api-python-client (1.5.1)"
Previously I was using the following:
from oauth2client.client import SignedJwtAssertionCredentials
serviceAccountEmail = "blahblablah1233324@developer.gserviceaccount.com"
key = "google-apps-file.p12"
scopes = ['https://www.googleapis.com/auth/admin.reports.audit.readonly']
credentials = SignedJwtAssertionCredentials(
serviceAccountEmail, key, scope=scopes, sub=userEmail)
Then Google dropped support for SignedJwtAssertionCredentials. So I switched to this.
from oauth2client.service_account import ServiceAccountCredentials
serviceAccountEmail = "blahblablah1233324@developer.gserviceaccount.com"
key = "google-apps-file.p12"
scopes = ['https://www.googleapis.com/auth/admin.reports.audit.readonly']
credentials = ServiceAccountCredentials.from_p12_keyfile(
serviceAccountEmail, key, scopes=scopes)`
Ok so this should be a relatively easy small code change, however when I ran the code I get the following error.
File "/usr/local/lib/python2.7/site-packages/oauth2client/util.py", line 137, in positional_wrapper
return wrapped(*args, **kwargs)
File "/usr/local/lib/python2.7/site-packages/googleapiclient/http.py", line 832, in execute
raise HttpError(resp, content, uri=self.uri)
googleapiclient.errors.HttpError: <HttpError 401 when requesting https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?alt=json returned "Access denied. You are not authorized to read activity records.">
So no permissions have changed, one thing I am noticing though is the original code is asking for a sub=userEmail (which is an account to impersonate, that account would have specific admin privileges over the Google Apps domain.)
It would make sense that I would get the 401 however there is no mention of a sub=userEmail parameter in the new documentation.
