Insufficient Permission creating gmail group using Google Directory API

Question

I want to create group which contains some email/gmails. I am using this guide. This is my code for creating groups:

SCOPES = 'https://www.googleapis.com/auth/admin.directory.group'
store = file.Storage('token.json')
creds = store.get()
if not creds or creds.invalid {
    flow = client.flow_from_clientsecrets('client_secret.json', SCOPES)
    creds = tools.run_flow(flow, store)
}
service = build('admin', 'directory_v1', http=creds.authorize(Http()))

mdig = createetag();

reqbody = {
    "kind": "admin#directory#group",
    "id": "id065468",
    "etag": "%s" % mdig,
    "email": "grpatest065469@gmail.com",
    "name": "Grptest name",
    "directMembersCount": "2",
    "description": "Grptest",
    "adminCreated": "True",
    "aliases": [
        "first@gmail.com",
        "second@gmail.com"
    ],
    "nonEditableAliases": [
    ]
}

# Call the Admin SDK Directory API
print('Creating new group')
group = service.groups()
g = group.insert(body=reqbody).execute()

I didn't get authentication window in my browser, not sure if that's causing the problem. This is my error:

'kind': 'admin#directory#group', 'id': 'id065468', 'etag': "b'\x9fR\xe9O\x93\x84\xbe~\x19\xef\xd2DYJ`\x1d'", 'email': 'grptest065469@gmail.com', 'name': 'Grptest name', 'directMembersCount': '2', 'description': 'Grp test', 'adminCreated': 'True', 'aliases': ['first@gmail.com', 'second@gmail.com'],'nonEditableAliases': []

Creating new group

Traceback (most recent call last):
File ".\creategrp.py", line 105, in  main()
File".\creategrp.py", line 75, in main 
    g = group.insert(body=reqbody).execute()
File "C:\dev\cfehome\lib\googleapiclient\_helpers.py", line 130, in positional_wrapper
    return wrapped(*args, **kwargs)
File "C:\dev\cfehome\lib\googleapiclient\http.py", line 849, in execute 
    raise HttpError(resp, content, uri=self.uri)
googleapiclient.errors.HttpError:

Linda Lawton - DaImTo · Accepted Answer

Groups: insert requires https://www.googleapis.com/auth/admin.directory.group scope in order to use it. On top of that the user who you have authenticated with must have access to do what it is you are trying to do. Your code appears to use the correct scope.

"Insufficient Permission"

Can mean one of two things. Either

the user you are authenticating does not have access to do what you are trying to do
you have changed the scope since the user logged in.

option one:

Make sure that the user you are logging in with has admin access on the gsuite account. or you may want to check out service accounts below.

Option two:

I am not a python developer but i know about about the library you are using. When the user logs in a credential file for the user in a directory denoted by stored store = file.Storage('token.json'). By doing this when the user comes back again you dont have to ask them to log in again. If you have changed the scope what you need to do is go find that file and delete it. It should pop up and ask you for consent again.

Service Account

In the event that you wish to run this server sided you can use a service account and set up domain wide delegation this way when the script runs the service account will be able to apply these changes as needed. However seeing as you appear to be just creating a group you may not need to go though the trouble of creating a service account and setting it up if the user you are logging in with has the access anyway.

Google Api Python client documentation -> Using OAuth 2.0 for Server to Server Applications

Insufficient Permission creating gmail group using Google Directory API

Answers (2)

Related Questions