Google Directory API Python ETL

Question

I'm trying to build a directory sync ETL for Google Workspace, but I'm getting 403's from the code snippet.

from google.oauth2 import service_account
from googleapiclient.discovery import build

SCOPES = ['https://www.googleapis.com/auth/admin.directory.user.readonly']
SERVICE_ACCOUNT_FILE = './credentials.json' #TODO: these creds need to be passed in more safely.

credentials = service_account.Credentials.from_service_account_file(
        SERVICE_ACCOUNT_FILE, scopes=SCOPES)

service = build('admin', 'directory_v1', credentials=credentials)

results = service.users().list(domain='mydomain.com').execute()
users = results.get('users', [])

The service account has been given domain-wide delegation to the listed scope and should be able to access the API. Other similar posts have mentioned that a domain administrator must approve the request, but that doesn't make sense in the case where I need this to run multiple times a week without any administrator intervention.

score 0 · Accepted Answer · answered Jan 07 '22 at 09:20

0

Using the Users API requires the User Management Admin role (or an equivalent custom role). You can grant this role to a service account, then you won't need domain-wide delegation at all.

answered Jan 07 '22 at 09:20

Johannes Passing

2,715
16
13

Google Directory API Python ETL

1 Answers1