Reputation: 1508
Google Apps API 403 with Service Account
I've been trying make a query against Google's Admin API to list all users in my Google Apps Organization. I have permissions to make this query in the web UI example and get results, but it 403's when I try to make the query with a service account.
import (
"fmt"
"io/ioutil"
"log"
"golang.org/x/net/context"
"golang.org/x/oauth2/google"
directory "google.golang.org/api/admin/directory_v1"
)
func main() {
serviceAccountJSON, err := ioutil.ReadFile(serviceAccountFile)
if err != nil {
log.Fatalf("Could not read service account credentials file, %s => {%s}", serviceAccountFile, err)
}
config, err := google.JWTConfigFromJSON(serviceAccountJSON,
directory.AdminDirectoryUserScope,
directory.AdminDirectoryUserReadonlyScope,
)
client, err := directory.New(config.Client(context.Background()))
if err != nil {
log.Fatalf("Could not create directory service client => {%s}", err)
}
users, err := client.Users.List().ViewType(publicDataView).Domain(domain).Do()
if err != nil {
log.Fatalf("Failed to query all users => {%s}", err)
}
for _, u := range users.Users {
fmt.Println(u.Name.FullName)
}
}
Every time I execute I get a 403. The same query parameters works in the Try it! section here so I'm not sure why it fails.
result: Failed to query all users => {googleapi: Error 403: Not Authorized to access this resource/api, forbidden}
Upvotes: 3
Views: 1968
Answers (2)
Reputation: 23
The @Chronojam reply saved me hours, however on the newer versions of the Google SDK directory.New is deprecated, you should be achieve the same thing replacing the directory.New(...) line with this one instead:
client, err := directory.NewService(context.Background(), option.WithHTTPClient(config.Client(context.Background())))
Upvotes: 0
Reputation: 195
I know this question is a year old, but I couldnt find anything about this anywhere - but ive just managed to fix it after running into the same error as you.
basically you need to set a delegation user to your config, eg:
func main() {
serviceAccountJSON, err := ioutil.ReadFile(serviceAccountFile)
if err != nil {
log.Fatalf("Could not read service account credentials file, %s => {%s}", serviceAccountFile, err)
}
config, err := google.JWTConfigFromJSON(serviceAccountJSON,
directory.AdminDirectoryUserScope,
directory.AdminDirectoryUserReadonlyScope,
)
// Add me
config.Subject = "[email protected]"
client, err := directory.New(config.Client(context.Background()))
if err != nil {
log.Fatalf("Could not create directory service client => {%s}", err)
}
users, err := client.Users.List().ViewType(publicDataView).Domain(domain).Do()
if err != nil {
log.Fatalf("Failed to query all users => {%s}", err)
}
for _, u := range users.Users {
fmt.Println(u.Name.FullName)
}
}
See https://github.com/golang/oauth2/blob/master/google/example_test.go#L118
hope this helps someone else!
Upvotes: 6
Related Questions
- Google Admin SDK - Service account can't access resource
- Google Admin API - Service Account withJSON - 403 Forbidden error
- Getting a 403 - Forbidden for Google Service Account
- How to authorise a service account to access the Google Admin API
- Google Admin SDK 403 Not Authorized to Access this Resource/API
- Google Directory API: 403 when retrieving user information with service account
- Google Admin Directory API, bad request 400 invalid_grant. (using service account)
- Google_Service_Directory - (403) Not Authorized to access this resource/api
- Received error "Not Authorized to access this resource/api" when trying to use Google Directory API and Service Account Authentication
- Access Denied, Requested scopes not allowed for Google Service Account