Accessing a Google Domain's Google Groups from a service account - Keep getting 403 unauthorized

Question

I'm trying to get a list of groups for a domain in Google Api (https://developers.google.com/admin-sdk/directory/v1/reference/groups/list).

I'm using "domain wide delegation", and have a service account from which the web app makes all its requests to Google. The admin-sdk requires the requesting user to be an administrator, so i'm impersonating a admin user on the given domain.

This works fine with (https://developers.google.com/admin-sdk/directory/v1/reference/users/get), but when I'm trying to use the group api, it fails like this:

{
 "error": {
  "errors": [
   {
    "domain": "global",
    "reason": "forbidden",
    "message": "Not Authorized to access this resource/api"
   }
  ],
  "code": 403,
  "message": "Not Authorized to access this resource/api"
 }
}

I have checked the the permissions from the domain administrator have been delegated to the service account. And I have also checked that i can access the list of groups, while being logged in as the domain administrator.

Any help or hints is highly appreciated. Thanks in advance

Answer 1

First, make sure that you properly followed the steps here in this documentation including this steps on how to Instantiate an Admin SDK Directory service object.

It is important because this one shows you how to make API requests using OAuth 2.0 and your service account's credentials to perform Google Apps Domain-wide delegation.

For more information, check these related SO questions:

• Google_Service_Directory - (403) Not Authorized to access this resource/api

• Received error “Not Authorized to access this resource/api” when trying to use Google Directory API and Service Account Authentication

Answer 2

You will need to add the scope for reading groups.