Reputation: 190
Adding first user to newly provisioned customer through reseller API not allowed
We are setting up an easy way to provision new G Suite customers and our project is already capable of creating customers and the respective subscriptions. But users only get some welcome mail from Google and are being told to login. When trying to create the first user through the admin directory api all we get is this:
googleapi: Error 403: Access Not Configured. Admin Directory API has not been used in project xxx before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/admin.googleapis.com/overview?project=xxx then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry., accessNotConfigured"
(sensitive information marked with xxx)
The API client is built using the same method as the reseller client and all this is done through our domain-wide delegated service account with the required scopes set in (our) G Suite.
When using the Reseller Console to jump into the new customers admin interface, the API's there are enabled (default).
The docs online don't really tell something about this and just describe how to create the user but no limitations are listed.
We are using the Golang libraries, the user insert looks like this:
...
usr, err := adm.Users.Insert(trial.User).Do()
if err != nil {
...
}
...
err = adm.Users.MakeAdmin(usr.PrimaryEmail, &admin.UserMakeAdmin{
Status: true,
}).Do()
if err != nil {
...
}
...
The API client is build like this:
const envVar = "GOOGLE_APPLICATION_CREDENTIALS"
if filename := os.Getenv(envVar); filename != "" {
serviceAccountJSON, err := ioutil.ReadFile(filename)
if err != nil {
log.Fatal("creating oauth client failed", zap.Error(err))
}
config, err := google.JWTConfigFromJSON(serviceAccountJSON,
reseller.AppsOrderScope,
admin.AdminDirectoryUserScope,
)
adminClient = config.Client(ctx)
config.Subject = *impersonationUser
resellerClient = config.Client(ctx)
}
res, _ := reseller.New(resellerClient)
adm, _ := admin.New(adminClient)
Upvotes: 0
Views: 131
Answers (1)
Reputation: 190
Keeping the question open in case others stumble about this too. The issue was, that in our own project the Admin SDK API got/was disabled.
Slipped through the setup process so if you encounter this issue, try enabling the Admin SDK API (which is different from the Reseller API).
Upvotes: 0
Related Questions
- Adding a new member to our Google Admin Directory Group via API
- Accessing Google Reseller API using Service Accounts
- Getting a 403 while creating a user, followed every step right so far
- Google Admin SDK error Resource Not Found: domain when trying to list existing users
- As a reseller, how do I create a new Google Apps user using the Admin SDK Directory API?
- Resource not found: domain while inserting a new user with Google API
- Google Directory API 403 Insufficient Permission errors when requesting all account users
- Google Reseller Permission
- Google provisioning api returning apparently bogus error for account creation
- How can I create a new user in an organization unit in one step?