kcliu
Reputation: 21
403 error from Google Admin SDK with AppAssertionCredentials
I'm trying to list users via Google admin directory API.
import logging
import os
from google.appengine.api import memcache
from googleapiclient import discovery
from oauth2client.contrib.appengine import AppAssertionCredentials
import httplib2
from flask import Flask
credentials = AppAssertionCredentials(scope='https://www.googleapis.com/auth/admin.directory.user')
auth_http = credentials.authorize(httplib2.Http(cache=memcache))
service = discovery.build('admin', 'directory_v1', http=auth_http)
@app.route('/list')
def list():
results = service.users().list(domain='example.com', maxResults=10, orderBy='email').execute()
return 'success'
app = Flask(__name__)
I'm running this in App Engine and have enabled domain-wide delegation for App Engine default service account, as instructed in https://developers.google.com/api-client-library/python/auth/service-accounts
This is the error I'm getting: HttpError: https://www.googleapis.com/admin/directory/v1/users?orderBy=email&domain=example.com&alt=json&maxResults=10 returned "Not Authorized to access this resource/api">
Upvotes: 2
Views: 2297
Answers (1)
ReyAnthonyRenacia
Reputation: 17613
Follow the steps indicated in Delegating domain-wide authority to the service account:
Then, an administrator of the G Suite domain must complete the following steps:
- Go to your G Suite domain’s Admin console.
- Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls. If you can't see the controls, make sure you're signed in as an administrator for the domain.
- Select Show more and then Advanced settings from the list of options.
- Select Manage API client access in the Authentication section.
- In the Client Name field enter the service account's Client ID. You can find your service account's client ID in the Service accounts page.
- In the One or More API Scopes field enter the list of scopes that your application should be granted access to. For example, if your application needs domain-wide access to the Google Drive API and the Google Calendar API, enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar.
- Click Authorize.
Make sure your service account is set to Administrator.
Upvotes: 2
Related Questions
- Receiving 403 error when accessing G Suite Admin SDK using google-api-python-client
- HttpError 403 when attempting to use Admin Directory SDK
- Unauthorized when calling Google Admin SDK Directory API
- 403 error "Not Authorized to access this resource/api" Google Admin SDK in web app even being admin
- Getting AppEngine AppAssertionCredentials working (Python)?
- Received error "Not Authorized to access this resource/api" when trying to use Google Directory API and Service Account Authentication
- Google's admin SDK directory API - 403 Not authorized
- HttpError 400 Bad Request - Google Admin Directory API (Python)
- google admin sdk directory api 403 python
- returned "Insufficient Permission"