2

I'm trying to fetch all the members of a Google Group using the discovery API. So I used the code given in the doc but I get the following error:

'Error(2033): Group resource name has the correct format of `groups/{group_id}`, but it contains an invalid `{groupd_id}`

I used as group_id the email of the Google Group or the plain text name but the error persists. What is the correct syntax for that group id?

Code:

group_id = 'my_google_group@my_organization.com'
request = service.groups().memberships().searchTransitiveMemberships(parent=f'groups/{group_id}')
Tristan Bilot
  • 479
  • 5
  • 16

3 Answers3

3

You can get get the group_id of a group that you know the e-mail of using the gcloud console:

$ gcloud identity groups describe your-group-name@domain.com

which will return something similar to:

createTime: '2019-01-01T00:00:00.000000Z'
displayName: YourGroupName
groupKey:
  id: your-group-name@domain.com
labels:
  cloudidentity.googleapis.com/groups.discussion_forum: ''
name: groups/8673hkdnjaod98f
parent: customers/Cjas8duwn
updateTime: '2021-01-01T00:00:00.000000Z'

the relevant part for you is:

name: groups/8673hkdnjaod98f

so in this example the group_id is: 8673hkdnjaod98f

Dave McLean
  • 136
  • 8
  • Thank you Dave! Your solution works perfectly. However, do you a programatically way to get that id? If not I need to parse the output in Python to get the id, which is not a good practice. I tried the lookup() method: https://cloud.google.com/identity/docs/reference/rest/v1beta1/groups/lookup but I get the following error: `Cannot bind query parameter. 'groupKey' is a message type. Parameters can only be bound to primitive types`. – Tristan Bilot Dec 01 '21 at 14:22
  • What's your use-case for needing to programatically look up the `group_id` - they're constant so you could save yourself some trouble by just hard-coding the ID in your app? – Dave McLean Dec 02 '21 at 16:10
  • I'm going to hard code them, effectively – Tristan Bilot Dec 02 '21 at 16:22
2

To retrieve the information from the Cloud Identity’s GCP groups, you have 3 more options or “methods” that are specified in GCP’s official documentation:

  1. Get

  2. List

  3. Directory API: Groups

In the worst scenario that none of them work, it could be because you don't have an IAM role as "Owner" for GCP, even if you are signing in with your super admin user for G Suite. You can use the following official GCP’s documentation about it here GCP: Understanding roles

Nestor Daniel Ortega Perez
  • 1,046
  • 3
  • 10
  • 1
    Thanks for your answer. I saw that the `get()` method needs as parameter the name of the group as this form: `groups/{group_id}`. However, I do not have that group id because it's what I'm looking for in order to use the `searchTransitiveMemberships()` method! – Tristan Bilot Nov 26 '21 at 09:59
  • OK, then the other 2 methods should help you, but I recommend you to confirm that you have the proper IAM role first. – Nestor Daniel Ortega Perez Nov 26 '21 at 17:19
  • The other method need access to admin console, which is not possible in big companies. Any other ideas? I saw the lookup() function but can't achieve to make it work because of the following error: `Cannot bind query parameter. 'groupKey' is a message type. Parameters can only be bound to primitive types` – Tristan Bilot Dec 01 '21 at 14:24
0

Just wanted to comment on Dave's good answer, but I don't have enough rep..

If you do want to get the group name programmatically, in case you're handling several groups for example, have a look at those docs.

There, groupName gives you the name in the required format (groups/...), group_id is the email of the group in that case.

Side note: the docs do not seem up to date, I had to remove + "&groupKey.namespace=identitysources/" + identity_source_id from the second line for it to work.

dnnshssm
  • 1,057
  • 6
  • 17
  • This does not provide an answer to the question. Once you have sufficient [reputation](https://stackoverflow.com/help/whats-reputation) you will be able to [comment on any post](https://stackoverflow.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](https://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). - [From Review](/review/late-answers/30873789) – BrokenBenchmark Jan 25 '22 at 04:05