Google Admin SDK authentication with service account

Question

My team is currently developing an application to list my company's domain users in GCP, using the Admin SDK, for onboarding and offboarding purposes.

We're using a service account to do this and we've have added the admin.directory.user.readonly scope, in the Google Admin's advanced settings, to it. The Admin SDK API is activated and we can see the service account in the Credentials area.

When we invoke the https://www.googleapis.com/admin/directory/v1/users endpoint with the parameters viewType=domain_public and domain=[our domain], while using an access token generated with oauth2l, we receive the following message:

{
   "error": {
       "errors": [
           {
               "domain": "global",
               "reason": "forbidden",
               "message": "Not Authorized to access this resource/api"
           }
       ],
       "code": 403,
       "message": "Not Authorized to access this resource/api"
   }
}

Could there be any domain restriction being applied that we don't have vision of?

score 1 · Answer 1 · edited Jun 09 '20 at 12:13

1

You need to perform domain-wide delegation and impersonate one of your users if you want to authorize using a service account. The service account itself isn't part of the G Suite account, so you must impersonate a user who is part of the G Suite account in order to access the directory of that account.

oauth2l doesn't support domain-wide delegation, if I recall correctly.

edited Jun 09 '20 at 12:13

kenlukas

2,886
2
14
25

answered Jun 08 '20 at 22:49

Liron

61
3

Google Admin SDK authentication with service account

1 Answers1