Reputation: 31
Getting "Insufficient Permission [403]" while trying to add a member to a Google group (directory services API, .Net)
Keep getting Insufficient Permission [403] when trying to add a member to a group using the Google Directory Services API in .Net.
*We have a Google domain set up.
*User xxxxx is an admin on the domain.
*I've logged in as user xxxxx into the Admin console and created a service account.
*Took the associated/generated Google ClientID for that service account and gave it the following scopes:
https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.group.member
https://www.googleapis.com/auth/admin.directory.user
*The group is a created group in our domain. It is a valid group. I can manually add/delete users from it.
* User xxxxx is an owner and member of the group.
* The user I'm trying to add is a valid account in our domain.
* The xxxxx account and service account are all set up and working such that I can programatically create users on our domain using Google Directory Services API with no problems. (I.e. Admin SDK is already enabled, etc).
The code snippet I'm using to try to add a user to the group is quite simple:
GroupsResource.GetRequest grGet = m_service.Groups.Get("[email protected]");//Existing group
string szGroupID = grGet.GroupKey;
Member userMember = new Member();
userMember.Email = "[email protected]";//Existing user
userMember.Role = "MEMBER";
m_service.Members.Insert(userMember, szGroupID).Execute();
Am I missing something in code? Is there some setting specifically for Google Groups that I need to set but don't know about? Any help would be appreciated! Thanks!
Upvotes: 1
Views: 910
Answers (1)
Reputation: 11
I tested your code with the following service declaration and it worked smoothly.
String serviceAccountEmail = "Enter your service account email";
var certificate = new X509Certificate2("GoogleDirectoryManager-xxxxxxxxxx.p12", "Enter your Key", X509KeyStorageFlags.Exportable);
ServiceAccountCredential credential = new ServiceAccountCredential(
new ServiceAccountCredential.Initializer(serviceAccountEmail)
{
User = "Enter an Admin Email for the Domain",
Scopes = new[] { DirectoryService.Scope.AdminDirectoryUser, DirectoryService.Scope.AdminDirectoryGroupMember }
}.FromCertificate(certificate));
You may need to specify the right Scope and/ or service account associated with your google API service account that is authorized on the domain API client access.
Upvotes: 1
Related Questions
- Adding a new member to our Google Admin Directory Group via API
- Google Directory API - 403 [Not Authorized to access this resource/api] on one machine, works on another
- Insufficient Permission creating gmail group using Google Directory API
- Adding Group using Google Admin Directory API - 403 Not Authorized to Access this Resource/API
- Accessing a Google Domain's Google Groups from a service account - Keep getting 403 unauthorized
- Google API gives login error when adding member to a group using admin sdk api
- Authentication Error using Google Directory API from C#
- Google Groups Directory API - Add user to group raises error - PHP
- Google Dotnet API - Admin SDK Groups - Getting Bad Request Error
- Google directory api always returns 403