I am currently trying to query devices using the Google Cloud Identity API. When querying using a service account in the same account, I'm able to query the following endpoint successfully: https://cloudidentity.googleapis.com/v1/devices?customer=customers%2Fmy_customer
Unfortunately, when I attempt to authenticate to another account and assume a role to query their device information or even query the same account the service account resides in by specifying the Customer ID, I consistently get a 403 error:
{ "error": { "code": 403, "message": "The caller does not have permission", "status": "PERMISSION_DENIED" } }
The call I'm attempting to make is in the following format, with COabcdefg representing a Customer ID.
https://cloudidentity.googleapis.com/v1/devices?customer=customers%2FC0abcdefg
I believe this is how the documentation would like us to be specifying such a request. (the documentation I'm following is found here: https://cloud.google.com/identity/docs/reference/rest/v1/devices/list)
I'm currently successfully querying these other accounts via other APIs, such as the Google Workspace Admin SDK using the same service account and assumed role and I've confirmed the Cloud Identity API is enabled for all accounts I've been testing with.
Would anyone happen to know if I'm specifying the customer ID correctly in the query? If I am, I wonder if there are any additional settings I should verify in either the account that contains the service account or the accounts I'm attempting to query.
