0

I'm using this site for testing: https://developers.google.com/classroom/reference/rest/v1/courses/list

I have a project setup with a service account:

  • The account was created with read only domain access.
  • A project was setup after the fact.
  • I then added the account after the fact.
  • I then enabled the Classroom API in that project.
  • I added the courses scope at the site linked above to domain wide delegation for the service account.

My admin account gets a 200 response with a full list of courses. My service account gets an empty 200 response. If I grant the service account domain admin it returns a full list of courses. I'm happy to provide sanitized screen shots if needed but does anyone know what rights a service account needs short of domain admin to be able to access Google classroom data through the APIs?

Ischade
  • 127
  • 2
  • 13
  • 1
    When you say `If I grant the service account domain admin it returns a full list of courses`, you mean the SA is **impersonating** a domain admin? The SA has access to the same courses the impersonated account has access: for example, courses in which the impersonated account is a teacher or a student. If the SA doesn't impersonate anyone, it will only return the courses it has access to (which I think will always be none, since the SA cannot be added to a course, nor it can create one, AFAIK). To retrieve the full list, the SA should impersonate a domain admin. – Iamblichus Aug 31 '20 at 11:23
  • Would the above comment answer your question? If that's the case, I'd consider posting an answer expanding on this explanation. – Iamblichus Aug 31 '20 at 11:27
  • That kind of answers it. Is there any way to get a SA setup without domain admin that can read the whole environment? Based on what you've said it sounds like it isn't, but I want to be sure. – Ischade Aug 31 '20 at 22:13
  • Hi! I posted an answer, I hope your question is clarified by this. – Iamblichus Sep 01 '20 at 11:03

1 Answers1

1

Impersonating an account in the domain:

A service account that has been granted domain-wide authority can access the same data than the account it is impersonating.

As explained in this answer, only domain administrators can access all the courses in the domain. The rest of users can only access the courses they are part of (as teachers, students, etc.).

So the only way for a service account to retrieve all courses in the domain is to impersonate a domain admin (or have another account added to each course in the domain).

Service account by itself:

On the other side, a service account that has not been granted domain-wide authority or that is not using this authority to impersonate another account, will only have access to the courses it has been added to.

And since a service account is technically not part of the domain, it cannot be added to a course in the domain (only accounts within the domain can be added to a course – what sense would it make, anyway, to have a service account as a teacher or a student of a course?).

So, a call to courses.list cannot return any course in the domain: it will return any courses that the service account might have created on its own, which are not part of the domain.

Reference:

Iamblichus
  • 18,540
  • 2
  • 11
  • 27