Get resourceName's for accounts in a Google Workspace via API

Question

I am superadmin of a Google Workspace. I want to retrieve Google Contacts from several accounts of my workspace (accounts like press@....org, donate@....org).

For doing that via the API call googleapiclient.discovery.build('people', 'v1', credentials=creds).people().connections().list(resourceName=resourceName) I need resourceNames for the accounts of interest.

I tried doing that by running in Python googleapiclient.discovery.build('people', 'v1', credentials=creds).people().listDirectoryPeople(readMask= 'emailAddresses', sources= ['DIRECTORY_SOURCE_TYPE_DOMAIN_PROFILE'], pageSize= 1000).execute()). During token retrieval I'm using SCOPES = ['https://www.googleapis.com/auth/contacts.readonly', 'https://www.googleapis.com/auth/directory.readonly'] and re-obtained the creds.

After doing that I received an error:

googleapiclient.errors.HttpError: <HttpError 403 when requesting https://people.googleapis.com/v1/people:listDirectoryPeople?readMask=emailAddresses&sources=DIRECTORY_SOURCE_TYPE_DOMAIN_PROFILE&pageSize=1000&alt=json returned "The G Suite domain admin has disabled external directory sharing. See more details at https://support.google.com/a/answer/6343701". Details: "The G Suite domain admin has disabled external directory sharing. See more details at https://support.google.com/a/answer/6343701">

I went to https://support.google.com/a/answer/6343701 and as recommended switched to Public data and authenticated user basic profile fields in Directory settings. I waited 24 hours, but I'm still getting the same error.

What is the proper way to get resourceNames for the accounts I'm interested in?

In general, am I using the right API calls?

My endgoal is to collect Google Contacts for these accounts. I am superadmin, so I can set up any permissions needed, if I know what is needed :)

Thank you very much!

It is currently off, only is enabled `External Directory sharing > Public data and authenticated user basic profile fields`. Should I enable `Contact Sharing`? — Vadim Kantorov, Aug 16 '23 at 16:38
Is contact sharing also enabled from Directory Settings \> Sharing Settings \> Contact Sharing. – — Century Tuna, Aug 16 '23 at 16:38
Yes, I'll provide a sample of the setting in my end as an answer — Century Tuna, Aug 16 '23 at 16:38
In the meanwhile I've made it work with `admin/directory_v1`, I then took one user from the output, and used its 21-digit `id` to try `...connections().list(resourceName f'people/{id}')` - this blew up with `Only "people/me" resource is supported`. I also enabled `Contact Sharing` as you suggested, the error of `...people().listDirectoryPeople(readMask= 'emailAddresses', sources= ['DIRECTORY_SOURCE_TYPE_DOMAIN_PROFILE'], pageSize= 1000)` is still `The G Suite domain admin has disabled external directory sharing.` — Vadim Kantorov, Aug 16 '23 at 16:44
Changing the setting may be also subject to propagation time as you have only made the change this instance. But for further testing, you can play with the API Explorer in the answer by using the Incognito Window in order to isolate any caching issues made on the change of the settings in the Admin Console. — Century Tuna, Aug 16 '23 at 16:46
I will wait for it to propagate and will report if it helps or not. Any hints, how to work around `Only "people/me" resource is supported`? Is the 21-digit `id` from `admin/directory_v1` the `resourceName` I'm looking for? — Vadim Kantorov, Aug 16 '23 at 16:48
It looks like the resourceName parameter is already deprecated based on this reference article: [https://developers.google.com/people/api/rest/v1/people.connections/list](https://developers.google.com/people/api/rest/v1/people.connections/list) but let me try to play around this a little bit and get back to you if i find anything — Century Tuna, Aug 16 '23 at 16:50
Hmm, indeed it's documented that only `people/me` is supported. But how to retrieve Google Contacts userdata for the accounts of interest? (as a superadmin) — Vadim Kantorov, Aug 16 '23 at 16:54

Century Tuna · Accepted Answer · 2023-08-16T18:09:49.160

0

Answer:

Enable the contact sharing option in your Directory Settings in the Admin Console. This option is possible for people.listDirectoryPeople for you to be able to list all domain profiles and domain contacts in the authenticated user's domain directory.

Sample:

UPDATE:

Also, set the External Directory Sharing to Domain and Public Data.

You can also test this by running the API Sample on this link

Showing below that the execution was successful:

edited Aug 16 '23 at 18:09

answered Aug 16 '23 at 16:40

Century Tuna

1,378
1
6
13

I've enabled `Contact Sharing` and still getting the same error 403, including in API explorer. `{ "error": { "code": 403, "message": "The G Suite domain admin has disabled external directory sharing. See more details at https://support.google.com/a/answer/6343701", "status": "PERMISSION_DENIED" } }` – Vadim Kantorov Aug 16 '23 at 16:45
There is also a small panel in the API explorer saying `This error may be due to using an insufficient credential type. Try using OAuth 2.0.`. I'm already using `OAuth 2.0`, not seeing if some `insufficient credential type` might be a problem... – Vadim Kantorov Aug 16 '23 at 16:52
I´ve updated my answer, can you try to do the updates I included in the answer? – Century Tuna Aug 16 '23 at 17:02
I had already `External Directory Sharing` set as you propose, so it doesn’t change anything. I guess since only `people/me` is supported my question now becomes 1) how to get the Google Contacts of an account other than people/me?, 2) if needed, how to find the necessary id’s for this task? – Vadim Kantorov Aug 16 '23 at 17:13
So just to confirm, on the Contact Sharing option, it should be enabled and set to Show All Email Addresses and Show only Domain Profiles. And under the External Directory Sharing, it should be set to "Domain and Public Data", because based on your question, under "External Directory Sharing", it is set to "Public Data and authenticated user basic profile fields", which is upon replicating, it seems that setting it to "Public Data and authenticated user basic profile fields" is the root cause of error – Century Tuna Aug 16 '23 at 17:17
Now, this should address the issue with the method people.listDirectoryPeople. But unfortunately, it looks like retrieving the contacts of other accounts within your organization is currently not possible – Century Tuna Aug 16 '23 at 17:19
Well, I am the superadmin and the creator of the workspace. I can't see how this can be... – Vadim Kantorov Aug 16 '23 at 18:00
For now, I've looked into possible options starting with the Google Contacts UI (as a super admin), that currently there are no options to view the saved contacts of other accounts within the organization. And scanning through all documentations of People API, only Authenticated Users contacts can be retrieved using the API. Which, I currently propose that the feature to get the saved contacts of others is not possible. I'd suggest submitting a [feature request](https://issuetracker.google.com/issues/new?component=191607&template=824105) instead. – Century Tuna Aug 16 '23 at 18:07
I am wondering if I can use some sort of token impersonation to get contacts as if I was the other user. – Vadim Kantorov Aug 16 '23 at 18:27
I created a new question asking a more high-level advice: https://stackoverflow.com/questions/76916369/obtain-other-google-workspace-accounts-google-contacts-using-api – Vadim Kantorov Aug 16 '23 at 19:03
1

Regarding `it seems that setting it to "Public Data and authenticated user basic profile fields" is the root cause of error`, I changed the setting according to your suggestions. And `listDirectoryPeople` worked! It does get me the resourceName's, as well as `admin/directory_v1` also works. Please update your answer, and I will mark it as accepted. However, `resourceName`s are not useful for I did not know that for retrieving connections, `people/me` only works, so I created https://stackoverflow.com/questions/76916369/obtain-other-google-workspace-accounts-google-contacts-using-api – Vadim Kantorov Aug 16 '23 at 19:11

Get resourceName's for accounts in a Google Workspace via API

1 Answers1