I've got the following function in an unpublished Google Apps Script
function getUserFromEmail(userEmail)
{
return AdminDirectory.Users.get(userEmail)
}
I've enabled the AdminDirectory advanced service in the script As an admin, I run the script, and the default OAuth2 consent screen pops up. I authorize, and the script runs as expected. I share the script with a non-admin collaborator (Editor) When the collaborator runs the script, an error is generated
GoogleJsonResponseException: API call to directory.users.get failed with error: Not Authorized to access this resource/api
Yes, I understand that the collaborator does not have the admin privileges necessary to make this call. I can explicitly give the collaborator the necessary permissions via admin console, but that is not a good solution, since I may want a group of non-admin users to run the script (you can't assign by group). Since there is no explicit way of controlling authentication from Google Apps script (aside from URLFetchApp), it appears that the Advanced Services APIs only really work for admins running the script. Creating a GCP, service account, domain-wide delegation, etc. will not help, since we cannot explicitly control authentication from GAS Advanced Services. We are forced to use the URLFetchApp knothole. Most of the questions/posts for this topic a 5-7 years old, and the landscape for the developer platform has changed substantially. Also, Google developer platform documentation is woefully out of date and refers to entities that no longer exist (like Google APIs Console in https://developers.google.com/admin-sdk/directory/v1/guides/prerequisites)
Is this analysis correct, or have I missed something?
Tried converting project to CGP standard project, enabling Admin SDK library, service account, domain-wide delegation
