Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Received error "Not Authorized to access this resource/api" when trying to use Google Directory API and Service Account Authentication

Tags:

python

google-apps

google-admin-sdk

I'm really struggling with trying to use Service Account authentication to use the Google Directory API (Admin SDK).

Using client based three legged OAuth this works (tested here - https://developers.google.com/admin-sdk/directory/v1/reference/members/insert) but there's a problem with the permission delegation to the service account I am using. Under the Google Apps administration, I enabled using APIs and added the service account to the list of allowed OAuth clients as instructed.

Here is the code:

import httplib2
import sys

from apiclient.discovery import build
from oauth2client.client import SignedJwtAssertionCredentials

credentials = SignedJwtAssertionCredentials(
    '<KEY>@developer.gserviceaccount.com',
    '<KEY DATA>',
    scope='https://www.googleapis.com/auth/apps.groups.settings https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.group.member'
)
http = httplib2.Http()
http = credentials.authorize(http)

service = build("admin", "directory_v1", http=http)
groups = service.groups()
g = groups.get(groupKey="<GROUP NAME>").execute()

Eventually, I get the following error:

apiclient.errors.HttpError: <HttpError 403 when requesting https://www.googleapis.com/admin/directory/v1/groups/<GROUP NAME>?alt=json returned "Not Authorized to access this resource/api">

I tried using the following API as well:

service = build("groupssettings", "v1", http=http)

But this returns an error as well - "Backend Error".

like image 263
Ron Reiter Avatar asked Sep 09 '13 20:09

Ron Reiter

1 Answers

Even though you're using a Service Account you still need to act on behalf of a Google Apps user in the instance that has the proper admin permissions. Try doing:

credentials = SignedJwtAssertionCredentials(
  '<KEY>@developer.gserviceaccount.com',
  '<KEY DATA>',
  scope='https://www.googleapis.com/auth/apps.groups.settings https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.group.member',
  sub='[email protected]'
)

where [email protected] is a super administrator in your Google Apps account.

like image 118
Jay Lee Avatar answered Sep 18 '22 00:09

Jay Lee
Sign in to Comment

Related questions

Fetching tweets with hashtag from Twitter using Python [closed]
python topN max heap, use heapq or self implement?
using fsolve to find the solution
\frac{}{} won't work for me w/ pylab
Python - re.findall returns unwanted result
Runge–Kutta RK4 not better than Verlet?
How to convert .pcm files to .wav files (scripting) [closed]
get cell value based on header string and selected row
How do I post JSON via HTTP in Ruby after conversion from Python?
Django nested URLs
Parsing a WKT-file
Skip the last row of CSV file when iterating in Python
Lambda inside lambda
Plotting cylindrical map data over a 3D sphere in Python
ImportError: No module named ' ' while Import class in the __init__.py file Python
open() is not working for hidden files python
tkinter.ttk.Progressbar: How to change thickness of a horizontal bar
Why does dict(k=4, z=2).update(dict(l=1)) return None in Python?
Creating a list of every word from a text file without spaces, punctuation
Custom sort order of list

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!