0

I am using a serverless Python function for retrieving G Suite logs. I have done the following to authenticate against Admin SDK:

1) Created a project 2) Created a service account with the Project->Owner role 3) Create a private key (JSON) file 4) Enabled domain-wide delegation 5) Enabled the Admin SDK 6) Delegate domain-wide authority via 'One or More API Scopes' by authorizing my service account with https://www.googleapis.com/auth/admin.reports.audit.readonly

Now, when running my authorized application I use 1) the username (privileged user's email address) with access to the created service account and 2) the private key (JSON) file for the service account.

When authorizing my application, I use ServiceAccountCredentials from the oauth2client.service_account package.

The Question:

When running my application, I can't authorize against G Suite unless I use the username (email address) of a privileged user. When I substitute this email address for the service account's email address, I can't retrieve G Suite logs.

Is it possible to configure the service account to allow authorization via the service account email address? If so, how can I do that?

N Altun
  • 95
  • 1
  • 2
  • 9
  • 1
    Service accounts are not part of a G Suite organization. For APIs that require a user identity in G Suite, you need to impersonate (Act As) the user. This is the purpose of Domain-Wide Delegation. – John Hanley May 07 '19 at 06:02

1 Answers1

0

I have found the answer to the question. A service account's email address cannot be used.

The proper steps for retrieving G Suite logs is to either 1) use or 2) create a user with the access rights for reviewing the logs.

If a user must be created, this can be done at the user's console on from Google Admin console. After, the appropriate role(s) can be created at Google IAM. Finally, these roles can be applied to the user at the Google Admin console.

N Altun
  • 95
  • 1
  • 2
  • 9