0

Hi All
My application's use case is to

  1. Find all the users in my GSuite domain, and
  2. For each user, list all the files in his/her drive.

I have a Service Account with Domain-wide delegation enabled. To fetch the list of users, I created a JWT with the sub as 'admin@mydomain.com', exchanged it for an access token, and fetched the users via admin API https://admin.googleapis.com/admin/directory/v1/users

When I am trying to use this same token to call https://www.googleapis.com/drive/v3/files endpoint (with q as 'user1@mydomain.com' in owners), nothing is returned.

Is this even allowed, or do I need to create a new JWT but this time with the sub as 'user1@mydomain.com' and use that token to call https://www.googleapis.com/drive/v3/files or are there any other configurations to be enabled for the service account such that admin token can be used for fetching data of all the users in the organization.

FYI, I did not provision the Service account; it was done by my company admin, so please let me know what extra I need to check with them.

Manu
  • 5
  • 5
  • isnt the owner the email address? try 'admin@mydomain.com' in owners. Try running an [about.get](https://developers.google.com/drive/api/v3/reference/about/get?apix_params=%7B%22fields%22%3A%22*%22%7D) who are you authorized as? – Linda Lawton - DaImTo Jan 12 '22 at 12:58
  • Edited the question for owner. That was just for reference, I am using email address in the code. – Manu Jan 12 '22 at 15:08
  • Tried with admin@mydomain.com in owners (using token obtained using super-admin sub), no results. As for about.get (with the same token) it gave lots of fields, which one should I refer to. As mentioned, this user is super admin so I suppose it would have authorization to access any resource – Manu Jan 12 '22 at 15:15
  • @carlesgg97 can you help here.. I saw one of your post of similar use case. Just need to know whether it is possible for admin impersonated token to be used for file.list of other users or not? – Manu Jan 13 '22 at 10:33
  • Make sure about.list states that the current user is admin@mydomain.com, if its not then your delegation probably isnt working. You've got it mixed up a bit. The service account impersonates the user admin@mydomain.com. Have you checked if admin@mydomain can even do a file.list for all the users or not i doubt it. Your going to have to have the service account impersonate each user one at a time. Pro tip you cant use @ to ping another user who has not already commented in this question. so carlesgg97 cant hear you from here. – Linda Lawton - DaImTo Jan 13 '22 at 13:24
  • Thanks @DaImTo for clarifying this doubt. The about lists this user as current and the email id is of the domain admin. I checked with my company admin and he told that he cannot see any setting to make admin scan other users drive. I need to impersonate each user by this service account I suppose. Just wanted to check with other learned folks if there are any such setting which I my admin is not aware of. So I suppose impersonate each user and create new token for each is the only solution. Thanks for pro tip also buddy :) – Manu Jan 13 '22 at 14:15

0 Answers0