0

I am superadmin of a Google Workspace. I would like to obtain Google Contacts of several accounts of interest. For example, press@....org and donate@....org accounts of my workspace (for anaylytics / backup / mailing list compilation).

What are the ways I can achieve this, regarding authorization? As a superadmin, can I impersonate other users and access their Google Contacts via an API? Can service accounts be used for this?

If anyone has an example or some advice on achieving this, it would be great :)

Thank you!

Vadim Kantorov
  • 930
  • 1
  • 10
  • 28
  • I cannot answer for accessing contacts as I have not tried. Google Workspace supports [Domain Wide Delegation of Authority](https://developers.google.com/cloud-search/docs/guides/delegation) which allows you to impersonate Workspace users via service accounts. – John Hanley Aug 16 '23 at 21:43
  • As you suggested, I set up a service account and enabled Domain Wide Delegation, but getting an error: `google.auth.exceptions.RefreshError: ('unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.', {'error': 'unauthorized_client', 'error_description': 'Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.'})` :( – Vadim Kantorov Aug 17 '23 at 14:58
  • Using this Python code: `creds = service_account.Credentials.from_service_account_file('my_service_account_key.json', scopes=['https://www.googleapis.com/auth/contacts.readonly'] ).with_subject('vadim.kantorov@my.org'); print(googleapiclient.discovery.build('people', 'v1', credentials=creds).people().connections().list(resourceName='people/me', pageSize=10, personFields='names,emailAddresses').execute())` – Vadim Kantorov Aug 17 '23 at 14:59
  • Please add details to your post and not via comments. The error means that you did not set up Domain Wide Delegation correctly. However, test the API accessing a user's mailbox or other Workspace feature as I have not tested accessing a user's contacts to make sure DWD is set up correctly. – John Hanley Aug 17 '23 at 15:23
  • It ended up working! My mistake was that I actually had a few more extra unused scopes in the `from_service_account_file` call (and only had `https://www.googleapis.com/auth/contacts.readonly` in the service account config). And I also found a tutorial for doing a similar thing in Apps Script: https://daubejb.medium.com/how-to-use-gcp-service-accounts-with-google-apps-script-projects-to-automate-actions-in-g-suite-7020a520bef7 If you feel like it, please add an answer with your advice of setting up Domain Wide Delegation (maybe paste a word on what it is), I will mark it as accepted :) – Vadim Kantorov Aug 17 '23 at 16:09

1 Answers1

-1

Google Workspace supports Domain Wide Delegation of Authority which allows you to impersonate Workspace users via service accounts.

Domain-wide delegation of authority grants third-party and internal applications access to your users' data.

This requires setup at Workspace and Cloud IAM for the service account.

Perform Google Workspace domain-wide delegation of authority

John Hanley
  • 74,467
  • 6
  • 95
  • 159