Reputation: 239
Delegating access in Google API / Python
So I've got a Python app running which uses a service account in our domain. This is all working fine, and the service account has been granted access to the correct scope. I'm using the following which is lifted from one of the Google examples:
from __future__ import print_function
import httplib2
import os
import pprint
import sys
from apiclient.discovery import build
from oauth2client.service_account import ServiceAccountCredentials
"""Email of the Service Account"""
SERVICE_ACCOUNT_EMAIL = 'service_account_email@google'
"""Path to the Service Account's Private Key file"""
SERVICE_ACCOUNT_CLIENT_FILE_PATH = 'My Project-xxxxxx.json'
def main():
scopes = ['https://www.googleapis.com/auth/drive.metadata.readonly']
credentials = ServiceAccountCredentials.from_json_keyfile_name(
SERVICE_ACCOUNT_CLIENT_FILE_PATH,
scopes=scopes
)
http = httplib2.Http()
http = credentials.authorize(http)
service = build('drive', 'v3', http=http)
results = service.files().list(
pageSize=10,fields="nextPageToken, files(id, name)").execute()
items = results.get('files', [])
if not items:
print('No files found.')
else:
print('Files:')
for item in items:
print('{0} ({1})'.format(item['name'], item['id']))
if __name__ == '__main__':
main()
This successfully retrieves the documents for the service account. Now my understanding is that I should be able to delegate access so that I can run as another user. So I'm adding the following line:
delegated_credentials = credentials.create_delegated("user.name@org_domain.org.au")
and then using deletegated_credentials when authorizing. At this point I'm getting the error
oauth2client.client.HttpAccessTokenRefreshError: access_denied: Requested client not authorized.
So my assumption is that the user that I'm specifying doesn't have access to the API. Is this the correct approach or am I missing something obvious?
Upvotes: 1
Views: 1490
Answers (1)
Reputation: 239
Found my mistake, posting here for future generations. My scope in the python code was incorrect, didn't realise it needed to match the scope granted in the admin client exactly!
The scope in the admin client is as follows;
https://www.googleapis.com/auth/admin.reports.audit.readonly https://www.googleapis.com/auth/drive
and the scope in the code is now;
scopes = ['https://www.googleapis.com/auth/admin.reports.audit.readonly','https://www.googleapis.com/auth/drive']
I know I don't need the reports scope, but the point is if they do not match then it won't work.
Rookie mistake!
Upvotes: 1
Related Questions
- What does the "yield" keyword do in Python?
- Convert bytes to a string in Python 3
- Does Python have a ternary conditional operator?
- What is the difference between @staticmethod and @classmethod in Python?
- How slicing in Python works
- How do I merge two dictionaries in a single expression in Python?
- What are metaclasses in Python?
- How do I get the current time in Python?
- How to access the index value in a 'for' loop?
- How can I access environment variables in Python?