Getting 'HttpError 401' when attempting to use Google Drive API with delegated credentials

Question

I'm attempting to look at the files for all the users in my org using the Google API in Python. I have a service account with domain-wide delegation. I'm attempting to create delegated credentials for each user so that I can look at their files.

However, when I run the code below, on this line in the for loop:

results = drive_service.files().list(
        pageSize=10, fields="").execute()

I get this error:

googleapiclient.errors.HttpError: <HttpError 401 when requesting https://www.googleapis.com/drive/v3/files?pageSize=10&fields=nextPageToken%2C+files%28id%2C+name%29&alt=json returned "Invalid Credentials". Details: "[{'domain': 'global', 'reason': 'authError', 'message': 'Invalid Credentials', 'locationType': 'header', 'location': 'Authorization'}]">

The same line above that does not use delegated credentials works fine, (so I know I have the necessary scopes and the Drive API is enabled) so I think something is wrong with del_creds. I have triple checked that domain wide delegation is enabled. Any help is appreciated!

SCOPES = ['https://www.googleapis.com/auth/admin.directory.user', 'https://www.googleapis.com/auth/admin.directory.user.security', 'https://www.googleapis.com/auth/drive.metadata.readonly', 'https://www.googleapis.com/auth/drive.readonly']
CREDS = 'service-account-credentials.json'

def main():

    creds = None
    # The file token.json stores the user's access and refresh tokens, and is
    # created automatically when the authorization flow completes for the first
    # time.
    creds = service_account.Credentials.from_service_account_file(
        CREDS, scopes=SCOPES, subject='--my-email--')

    service = build('admin', 'directory_v1', credentials=creds)

    # Call the Admin SDK Directory API
    #print('Getting the first 10 users in the domain')
    request = service.users().list(customer='--customer-code--',
                                   orderBy='email')
    response = request.execute()
    users = response.get('users', [])

    while request:
        request = service.users().list_next(previous_request=request, previous_response=response)
        if request:
            response = request.execute()
            users.extend(response.get('users', []))
    
    drive_service = build('drive', 'v3', credentials=creds)
    results = drive_service.files().list(
        pageSize=10, fields="").execute()
    items = results.get('files', [])

    if not users:
        print('No users in the domain.')
    else:
        for user in users:
            email = user['primaryEmail']
            del_creds = creds.with_subject(email)

            drive_service = build('drive', 'v3', credentials=del_creds)

            # Call the Drive v3 API
            results = drive_service.files().list(
                pageSize=10, fields="").execute()
            items = results.get('files', [])

            if not items:
                print('No files found.')
                return
            print('Files:')
            for item in items:
                print(u'{0} ({1})'.format(item['name'], item['id']))
            

Answer 1

I figured it out. It turns out the first user in the list is suspended, and therefore does not have access to their Google drive files. Other users work just fine.

That begs the question, though, of how I'm supposed to look at the files of suspended users (as I'm pretty sure those files still exist).