1

As a super admin I tried to list the labels of a test user using the following codes take from this link but no success:https://developers.google.com/apps-script/advanced/gmail

function listLabelInfo() {
  var response =
    Gmail.Users.Labels.list('testuser@domain.com');
  for (var i = 0; i < response.labels.length; i++) {
    var label = response.labels[i];
    Logger.log(JSON.stringify(label));
  }
}

The error I get is this Delegation denied for myaccount@domain.com (line 2, file "Code").

Per instructions on the page, I did the following:

  1. Turned on Gmail API by going to Resources > Advanced Google services....
  2. Enabled Gmail API from the API Console of this project by going to Resource > Cloud Platform Project and then click on the My Project Name - project-id-0123456789012345678
  3. Created a Service account and checked the box for Enabled G Suite Domain-Wide Delegation On the Manage API Client Access console of the domain, entered the scope https://www.googleapis.com/auth/gmail.labels against the Client ID for the Service Account created in step#3 above.

I'm still getting the same error. If I use 'me instead of 'testuser@domain.com', it shows all my labels.

What am I missing here?

Any help is greatly appreciated.

Rafiq
  • 1,380
  • 4
  • 16
  • 31
  • Are you using an actual `@gmail.com` account or exactly `testuser@domain.com`? – AL. Jun 01 '17 at 10:59
  • 'testuser@domain.com' is a dummy account. I used an actual test account of my company's Google Apps email domain. I saw a few examples for adding client ID, client secret and scopes to the project properties using some script but could not be successful. – Rafiq Jun 01 '17 at 11:15

2 Answers2

0

You cannot impersonate users from Apps Script. You cannot use a service account in apps script. The script always runs as you, not the service account.

When you create a service account and enable domain-wide delegation, you have to use the service account from library client (java, php, python etc).

cheers

miturbe
  • 715
  • 4
  • 17
  • Please elaborate on how I am incorrect. The script either runs under the user accessing the script or the person who wrote it. But it cannot be run by the superadmin and have the superadmin impersonate someone. What you could do, is setup Oauth2 in apps script but then that just gives you the token and you would have to use HTTP requests as opposed to the libraries within apps-script – miturbe Jun 01 '17 at 18:50
  • Hmm! impersonating not possible. Got it. I thought you said it is not possible with Apps Script. I removed my comment. My understanding is that I can access user account with Gmail service (https://developers.google.com/apps-script/reference/gmail/) and even can delete user email threads. As an admin, I am required to do that, specifically when an email with malicious attachment/link is delivered to users' mailboxes. Do you have any guideline I can follow to do so. The OAuth2 client ID is created for the script in the API Console. The service account also have an OAuth2 client ID created. – Rafiq Jun 01 '17 at 19:58
0

if you don't have to resolve this issue by your self using app scripts. there is a 'must have' tool for every GSuite Administrator for managing anything that has to do with the user. the tool is called GAM, here is the Github repo URL : https://github.com/jay0lee/GAM/wiki

basically with GAM is a command line tool that allows administrators to manage many aspects of their G Suite Account including Groups, Calendars and much more.

korchix
  • 1,445
  • 1
  • 19
  • 22