2

Hi I'm trying to use google cloud identity apis in order to retrieve the list of users registered with CI under my organization. I've tried first with this api https://cloud.google.com/identity/docs/reference/rest/v1/groups/list passing the organization ID as parent field but I got the following error:

{
  "error": {
    "code": 400,
    "message": "Request contains an invalid argument.",
    "status": "INVALID_ARGUMENT"
  }
}

I've also tried with https://cloud.google.com/identity/docs/reference/rest/v1/groups/get passing "groups/" as name but this time I got this output:

{
  "error": {
    "code": 403,
    "message": "Error(2017): User does not have permission to get group 'groups/abcpi1tg3uve2ab' (or it may not exist).",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ResourceInfo",
        "resourceType": "cloudidentity.googleapis.com/Group",
        "resourceName": "groups/abcpi1tg3uve2ab",
        "owner": "domain:cloudidentity.googleapis.com",
        "description": "Error(2017): User does not have permission to get group 'groups/abcpi1tg3uve2ab' (or it may not exist)."
      }
    ]
  }
}

and I'm using the same account I use to log into Admin console. I'm testing the apis via apis explorer with a superadmin user. Can anyone please tell me what I'm doing wrong and what the "parent" required field exactly mean in the first api?

fabrizia binetti
  • 41
  • 4
  • Edit your question to show exactly how you are calling the endpoints including the HTTP headers. As written your question does not have enough details to help you. Also, limit your question to one item showing the calling method and complete error messages. Also, where/how are you generating the OAuth Access token that authorizes these calls. Include the request scopes. – John Hanley Jan 28 '20 at 15:52
  • @JohnHanley I'm using google api explorer that automatically create the request including the OAuth2 header parameters – fabrizia binetti Jan 28 '20 at 16:14
  • This could be happening due you don't have an IAM role as "Owner" for GCP, even if you are login in with your super admin user for Gsuite. Please share the complete output of the API call avoiding sharing PII information. – Jujosiga Jan 28 '20 at 17:55
  • @Jujosiga I've edited the question including the output details – fabrizia binetti Jan 29 '20 at 09:54
  • Just a quick question, by using this API call are you trying to retrieve Google Cloud Platform groups or Gsuite groups? – Jujosiga Jan 29 '20 at 16:50
  • @Jujosiga Actually what I need to do is to retrieve users registered on Cloud Identity – fabrizia binetti Jan 30 '20 at 09:08
  • I ran some tests and it seems there is some issue with cloud identity Method to get the groups, please use this [1] other method from Gsuite to get the Groups from Identity. Also I tes some interesting function to retrieve this groups that may help you, please take a look to it [2] Please let me know if this help you to post it as an answer. [1] https://developers.google.com/admin-sdk/directory/v1/guides/manage-groups [2] https://medium.com/google-cloud/how-to-control-access-to-bigquery-at-row-level-with-groups-1cbccb111d9e – Jujosiga Jan 31 '20 at 21:21

2 Answers2

0

There seem to be some issue with this cloud identity methods, I was not able to make them work properly.

I suggested some other ways that has been tested to retrieve this groups information:

I ran some tests and it seems there is some issue with cloud identity Method to get the groups, please use this other method from Gsuite to get the Groups from Identity.

Also I tes some interesting function to retrieve this groups that will help you, please take a look to it.

Jujosiga
  • 409
  • 2
  • 7
0

I successfully find a way to use it. For instance, I tried to use membership lookup, and after struggling a bit. You have to uncheck API Key. And group_id is not the email's group but the id that you can find in the Admin console. Look like something like that: 028g0dx5903cNq

Raphael Obadia
  • 333
  • 5
  • 14