1

I am trying to get or list devices via the Device API in Golang but I keep getting Error 403: The caller does not have permission, forbidden. I did the following steps:

  1. Created a service account and retrieved the service account key in .json format. Then I enabled Wide domain delegation using the numeric ID of the service account with the scopes:
  - "https://www.googleapis.com/auth/cloud-platform"
  - "https://www.googleapis.com/auth/cloud-identity"
  - "https://www.googleapis.com/auth/cloud-identity.devices"
  1. Added the following permissions to the service account:
$ gcloud iam service-accounts get-iam-policy example@example.iam.gserviceaccount.com

bindings:
- members:
  - user:mysuperadminuser@example
  role: roles/iam.serviceAccountAdmin
- members:
  - serviceAccount:example@example.iam.gserviceaccount.com
  - mysuperadminuser@example
  role: roles/iam.serviceAccountTokenCreator
- members:
  - user:mysuperadminuser@example
  role: roles/iam.serviceAccountUser
- members:
  - serviceAccount:example@example.iam.gserviceaccount.com
  - user:mysuperadminuser@example
  role: roles/owner
  1. Then I have the following code to list devices and groups, impersonating an admin user (myself):
func getDevicesAndGroups(ctx context.Context, credentialsFile string) {

    data, _ := ioutil.ReadFile(credentialsFile) // json file from the service account

    config, _ := google.JWTConfigFromJSON(data, "https://www.googleapis.com/auth/cloud-platform", "https://www.googleapis.com/auth/cloud-identity", "https://www.googleapis.com/auth/cloud-identity.devices")

    config.Subject = "mysuperadminuser@example"
    ts := config.TokenSource(ctx)
    httpClient := config.Client(ctx)

    ciService, err := cloudidentity.NewService(ctx, option.WithTokenSource(ts))

    ds := cloudidentity.NewDevicesService(ciService)

    resp, err := ds.List().Customer("customers/my_customer").PageSize(1).OrderBy("email").Do()
    log.Infof("NewDevicesService resp %#v", resp)
    if err != nil {
        log.Errorf("Unable to retrieve devices: %v", err)
    }

    gs := cloudidentity.NewGroupsService(ciService)
    respgs, err := gs.List().Parent("customers/my_customer").PageSize(1).Context(ctx).View("BASIC").Do()
    log.Infof("NewGroupsService %#v", respgs)
    if err != nil {
        log.Errorf("Unable to retrieve groups: %v", err)
    }

}

However the call to list the devices keeps returning the following error:

 Error 403: The caller does not have permission, forbidden

But the call to list the groups gives me a 200 response code, meaning the requests returns result successfully.

Was wondering if anyone could point me to the correct direction of permissions that I might be missing?

Stella
  • 11
  • 1
  • You can try changing the scopes used to list and get device information as explained in the [documentation](https://developers.google.com/identity/protocols/oauth2/scopes#cloudidentity) and the Go client API [repository](https://github.com/googleapis/google-api-go-client/blob/main/cloudidentity/v1/cloudidentity-api.json), since they are slightly different from the ones you are currently using. You could also try to check for a more detailed error trace and include it in the question, since it can include a general cause for failure. – ErnestoC Jan 04 '22 at 23:26
  • thank you @ErnestoContrerasPinon I changed my app to use those 4 scopes now And when I try the get device call (/device/) I get, Error 403: Request had insufficient authentication scopes (ACCESS_TOKEN_SCOPE_INSUFFICIENT) and for the lookup call(devices//deviceUsers) I still get `Error 403: The caller does not have permission, forbidden`. From the repo only the lookup method seems to be referencing the [scopes](https://github.com/googleapis/google-api-go-client/blob/main/cloudidentity/v1/cloudidentity-api.json#L522) Not sure what else to try here unfortunately – Stella Jan 05 '22 at 15:45
  • Have you read this similar [thread](https://stackoverflow.com/questions/64876625/)? The OP resolved this by activating their GSuite subscription. A different cause for this error could be missing enabled APIs, have you seen this [documentation](https://cloud.google.com/identity/docs/how-to/setup-devices) page? I don’t see any clear problem with your Go function, but you could also try changing the way you impersonate the service account to what is in the [documentation](https://pkg.go.dev/google.golang.org/api@v0.63.0/impersonate#example-CredentialsTokenSource-AdminUser). – ErnestoC Jan 05 '22 at 22:48

0 Answers0