0

I'm trying to use domain wide delegation on a service account to fetch some info from the admin sdk to generate reports. i got an already working codebase which i use with a gsuite domain. i wanted to use that same code to generate reports for another domain, so i set up a GCP project for this other domain. i created a service account, enabled domain wide delegation on it, and enabled the scopes for the service account. When i try to make any api call impersonating any account on the domain, i get the following error

adminService.activities().list(userKey='all', applicationName='meet').execute()
google.auth.exceptions.RefreshError: ('access_denied: Account restricted', '{\n  "error": "access_denied",\n  "error_description": "Account restricted",\n  "error_uri":<url>}')

here's the code i use to create the service

credentials = service_account.Credentials.from_service_account_file(credentialsPath,
    scopes=['https://www.googleapis.com/auth/admin.reports.audit.readonly',
    "https://www.googleapis.com/auth/classroom.announcements.readonly",
    "https://www.googleapis.com/auth/classroom.courses.readonly",
    "https://www.googleapis.com/auth/classroom.coursework.students.readonly",
    "https://www.googleapis.com/auth/classroom.profile.emails",
    "https://www.googleapis.com/auth/classroom.rosters.readonly",
    "https://www.googleapis.com/auth/classroom.student-submissions.students.readonly",
    "https://www.googleapis.com/auth/classroom.topics.readonly"
    ])

    delegated_credentials = credentials.with_subject(email)

    return build('admin', 'reports_v1', credentials=delegated_credentials)

Again, this shouldn't be a programming problem since the same exact code is working for another domain, i think i'm missing something on the admin/GCP configuration side, but i can't figure out what, and i haven't found this exact error anywhere on the internet

Rafa Guillermo
  • 14,474
  • 3
  • 18
  • 54
Fabio ProtoType22 De simone
  • 51
  • 1
  • 3
  • Have you enabled all the scopes you want to use in the Google Admin console? [admin.google.com](admin.google.com) `Security > Advanced settings > Manage API client access` then enter all your scopes for the client with your service account's client ID. – Rafa Guillermo Apr 27 '20 at 14:46
  • Yes, all the scopes are enabled for the client id of my service account – Fabio ProtoType22 De simone Apr 27 '20 at 14:53
  • You say `impersonating any account on the domain`, but only domain admins have the ability to access the reports API, so this can't be run as anyone but them. Also, have you made sure that you're not accidentally using the credentials for the service account on the other domain? – Rafa Guillermo Apr 27 '20 at 15:29
  • Yes i was just emphasizing that i tried with multiple accounts, but i usually try to impersonate a super admin. also yes, i made sure i'm using the correct credentials, to be completely sure i tried and if i try to use the email from another domain, on a service account, the error is completely different edit: to be precise if you try to impersonate an account on a service account that is used on a different domain, the error is `unauthorized_cilent`, which makes sense. however i really can't understand what `access_denied: Account restricted` could mean – Fabio ProtoType22 De simone Apr 27 '20 at 15:41
  • Is the domain a newly created G Suite domain? Also, what G Suite edition is the domain? (Basic/Enterprise/Business/Legacy/etc)? – Rafa Guillermo Apr 28 '20 at 07:05
  • No, the domain is not newly created, we are using G Suite Education, the working domain is also Education – Fabio ProtoType22 De simone Apr 28 '20 at 10:16

1 Answers1

0

Turns out that for domain wide delegation to work, you have to enable this thing

that roughly translates to "additiional services without individual control" on the organization unit to which the user that created the GCP project belongs to. you can to that via the tooltip that appears on top of the Applications>Additional Google Services page in the administration panel

Fabio ProtoType22 De simone
  • 51
  • 1
  • 3