3

My team is currently developing an application to list my company's domain users in GCP, using the Admin SDK, for onboarding and offboarding purposes.

We're using a service account to do this and we've have added the admin.directory.user.readonly scope, in the Google Admin's advanced settings, to it. The Admin SDK API is activated and we can see the service account in the Credentials area.

When we invoke the https://www.googleapis.com/admin/directory/v1/users endpoint with the parameters viewType=domain_public and domain=[our domain], while using an access token generated with oauth2l, we receive the following message:

{
   "error": {
       "errors": [
           {
               "domain": "global",
               "reason": "forbidden",
               "message": "Not Authorized to access this resource/api"
           }
       ],
       "code": 403,
       "message": "Not Authorized to access this resource/api"
   }
}

Could there be any domain restriction being applied that we don't have vision of?

aga
  • 3,790
  • 3
  • 11
  • 18
André Dias
  • 163
  • 1
  • 12
  • I usually implement a longer flow so I'm going to give you an answer of which I'm not 100% sure. Of course your SA doesn't have rights to perform that operation on your domain. Go in the admin console and create a new admin role with the rights you need. Try to add your SA to that role. – Pievis Feb 05 '20 at 15:37
  • Did you enable Domain Wide Delegation on the service account? – John Hanley Feb 05 '20 at 16:06
  • @JohnHanley we have tried this, but to no avail. Is this a requirement? Because from what I understood of it is that it's only needed for user impersonation and at no point in the documentation for the API does it say it's a requirement. – André Dias Feb 05 '20 at 17:03
  • Yes, this is a requirement. A service account without Domain Wide Delegation has no rights to G Suite. – John Hanley Feb 05 '20 at 17:04
  • @Pievis none of the provided roles/permissions given by GCP cover anything related to the Admin SDK API. What roles are you referring to? – André Dias Feb 06 '20 at 10:00
  • @JohnHanley Activating Domain-Wide Delegation did not fix our issue. – André Dias Feb 06 '20 at 10:32
  • "Did not fix our issue". You need to enable delegation correctly. Either edit your question or create a new question with specifics. – John Hanley Feb 06 '20 at 13:22
  • Apart from activating domain-wide delegation, you also need to go to the admin console, Settings - > Manage API client access and provide your service account the necessary scopes (e.g. `https://www.googleapis.com/auth/admin.directory`) – ziganotschka Feb 07 '20 at 11:37

1 Answers1

7

The service account does not have permission to call Directory APi for your G Suite instance. What it does have access to do is act as a user in your domain within the context of the Directory API scope(s) you granted it access to.

When getting service account credentials you need to add the sub=admin@yourdomain.com parameter so that you are acting as your domain admin, not the service account. See:

https://developers.google.com/identity/protocols/OAuth2ServiceAccount

And some code examples at:

https://developers.google.com/admin-sdk/directory/v1/guides/delegation

Jay Lee
  • 13,415
  • 3
  • 28
  • 59