Google Admin API using Oauth2 for a Service Account (Education Edition) - 403 Error

Question

I'm having difficulties using Google new Admin SDK. In particular the Directory API using Oauth2. I think I'm almost there but I've got stuck trying to retrieve a users details using the Directory API (I'm using a Google Education Edition domain).

Basically what I'm trying to do is write a python script that provisions or de-provisions users based on their enrollment status which is managed by our AD. I've got a script that does this using Oauth1 but want to update it to use Oauth2.

Here is a code snippet based on some examples I found.

f = file('test_key.p12', 'rb')
key = f.read()
f.close()
credentials = SignedJwtAssertionCredentials(
     '[email protected]',
     key,
     scope= 'https://www.googleapis.com/auth/admin.directory.user')
http = httplib2.Http()
http = credentials.authorize(http)
service = build(serviceName='admin', version='directory_v1', http=http)

lists = service.users().get(userKey='[email protected]').execute(http=http)
pprint.pprint(lists)

This piece of code appears to connect correctly but when I try to execute the query I get a 403 error.

ERROR: https://www.googleapis.com/admin/directory/v1/users/[email protected]?alt=json returned "Not Authorized to access this resource/api">

My first thought was because I haven't turned on this API on the administrators console (Google API's console) but I have. (Actually I turned on the Admin SDK and not the Directory API because there is no Directory API to turn on and seeing that it's part of the Admin SDK it would work?).

Is there another step I'm missing or have I made a silly mistake somewhere?

Answer 1

Bruce,

you're pretty close.

Couple of items:

• If you're using App Engine, need to convert p12 key to pem and strip header
• Need to include user with super user credentials (who has permission to do these operations) whom you're impersonating (not the user who is being changed) using the sub= parameter

So full code will look a bit like this:

    # domain configuration settings
    import domainconfig

    f = file(domainconfig.KEY_FILE, "rb") # b reads file in binary mode; not strictly necessary, but safer to avoid strange Windows EOL characters: https://stackoverflow.com/questions/9644110/difference-between-parsing-a-text-file-in-r-and-rb-mode
    key = f.read()
    f.close()

    credentials = SignedJwtAssertionCredentials(

        domainconfig.SERVICE_ACCOUNT_EMAIL,
        key,
        scope = domainconfig.SCOPE, 
        sub=domainconfig.SUB_ACCOUNT_EMAIL # 'sub' supercedes the deprecated 'prn'

    )

    http = httplib2.Http()
    http = credentials.authorize(http)

    directoryservice = build("admin", "directory_v1", http=http)

    users = directoryservice.users()
    response = users.get(userKey='[email protected]').execute()