I am new to working with Google API but I have a project that requires me to access their domain to find a user's manager by email. Before I started on the code I wanted to set everything up so I followed the example file for PHP. I was able to get it to work but had some issues with refreshing the token once it expired and research pushed me towards using a Service Account, as this is a server cron script and I don't want to deal with any user interactions.
I created the Service Account, enabled G Suite Domain-wide Delegation, and added access for: https://www.googleapis.com/auth/admin.directory.user.readonly
I get a Google_Service_Exception
with my script.
The response is:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "notFound",
"message": "Domain not found."
}
],
"code": 404,
"message": "Domain not found."
}
}
I am assuming this means it doesn't know the accounts domain but I don't see how I can resolve this. I assume that if this was a permissions issue, Google would tell me. I tried searching online but no luck as the issues I found were using a different method and the fixes weren't something that could be done on the Service Account. I am stuck right now so I hope a push in the right direction will get me on track.
This is the test script I am using:
<?php
require_once( __DIR__. '/vendor/autoload.php' );
define('CREDENTIALS_PATH', '/path/to/service_account.json');
define('SCOPES', implode(' ', array(
Google_Service_Directory::ADMIN_DIRECTORY_USER_READONLY)
));
date_default_timezone_set('America/New_York');
/**
* Returns an authorized API client.
* @return Google_Client the authorized client object
*/
function getClient() {
$client = new Google_Client();
$client->setApplicationName('TestingApp');
$client->setAuthConfig(CREDENTIALS_PATH);
$client->setScopes(SCOPES);
return $client;
}
// Get the API client and construct the service object.
$client = getClient();
$service = new Google_Service_Directory($client);
// Print the first 10 users in the domain.
$optParams = array(
'customer' => 'my_customer',
'maxResults' => 10,
'orderBy' => 'email',
);
$results = $service->users->listUsers($optParams);
if (count($results->getUsers()) == 0) {
print "No users found.\n";
} else {
print "Users:\n";
foreach ($results->getUsers() as $user) {
printf("%s (%s)\n", $user->getPrimaryEmail(),
$user->getName()->getFullName());
}
}
My service_account.json
contains (cleaned obviously)
{
"type": "service_account",
"project_id": "PROJECT_ID",
"private_key_id": "PRIVATE_KEY_ID",
"private_key": "PRIVATE_KEY",
"client_email": "SERVICE_ACCOUNT_EMAIL.iam.gserviceaccount.com",
"client_id": "CLIENT_ID",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_IDENTIFIER.iam.gserviceaccount.com"
}
Thanks for any assistance on this.
Okay, this was a very easy step to overlook but it was an extremely simple fix.
The issue here was that the domain for the account was not identified. I was under the impression that the service account was already attached to the domain but that is not the case. So the fix is just one line of code to add to the client to set it to a user that is in the domain (for my case).
The fix for me was to add:
$client->setSubject('[email protected]');
to my getClient
method.
so now the method looks like:
/**
* Returns an authorized API client.
* @return Google_Client the authorized client object
*/
function getClient() {
$client = new Google_Client();
$client->setApplicationName('TestingApp');
$client->setAuthConfig(CREDENTIALS_PATH);
$client->setScopes(SCOPES);
$client->setSubject('[email protected]');
return $client;
}
I saw this mentioned in the API but it states it as optional. Hopefully this will help someone else too.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With