Adding Group using Google Admin Directory API - 403 Not Authorized to Access this Resource/API

Question

I'm trying to add a Group using the Google Admin Directory API, from a Java app that's running on Google App Engine. I've looked at numerous other related questions on SO and tried the suggestions however I'm still getting the issue.

I've created a new service account using the Google Cloud console, and I've enable G-Suite domain-wide Delegation. I've created a JSON key for the service account.

I've enabled the Admin Directory SDK in the Google Admin Console, and for the 'Client ID' of this service account, I've then assigned the API scope in the Google Admin Console under Security > Advanced settings > Manage API client access. I'm assigning the scope https://www.googleapis.com/auth/admin.directory.group:

In the Google Admin Console I've also made a system admin account a Groups admin, under Account > Admin Roles:

Then, in a Java application that runs on Google App Engine, I'm doing the following to use the service account credentials to impersonate the superadmin user that I've granted the Group Admin rights to:

final CREDENTIALS_FILE_PATH = "path_to_my_JSON_credentials_file"
final USER_EMAIL = "email_address_for_superadmin_with_group_admin_rights"

public someMethod() { 
    Directory directory = getDirectoryService(USER_EMAIL); 

    com.google.api.services.admin.directory.model.Group group = new Group(); 
    group.setEmail("myemail@domain.com"); 
    group.setName("test_group"); 
    group.setDescription("test_group_desc"); 

    Group googleGroup = directory.groups().insert(group).execute(); 
} 

/** 
* Build and returns a Directory service object authorized with the service accounts 
* that act on behalf of the given user. 
* 
* @param userEmail The email of the user. Needs permissions to access the Admin APIs. 
* @return Directory service object that is ready to make requests. 
*/ 
public static Directory getDirectoryService(String userEmail) throws GeneralSecurityException, 
IOException, URISyntaxException { 
    HttpTransport httpTransport = new NetHttpTransport(); 
    JacksonFactory jsonFactory = new JacksonFactory(); 

    InputStream resourceAsStream = AdminService.class.getResourceAsStream(CREDENTIALS_FILE_PATH); 
    Collection<String> scopeList = new ArrayList<>(); 
    scopeList.add(DirectoryScopes.ADMIN_DIRECTORY_GROUP); 

    GoogleCredential gcFromJson = GoogleCredential.fromStream(resourceAsStream).createScoped(scopeList); 

    GoogleCredential credential = new GoogleCredential.Builder() 
    .setTransport(gcFromJson.getTransport()) 
    .setJsonFactory(gcFromJson.getJsonFactory()) 
    .setServiceAccountId(gcFromJson.getServiceAccountId()) 
    .setServiceAccountUser(userEmail) 
    .setServiceAccountPrivateKey(gcFromJson.getServiceAccountPrivateKey()) 
    .setServiceAccountScopes(gcFromJson.getServiceAccountScopes()) 
    .build(); 

    Directory service = new Directory.Builder(httpTransport, jsonFactory, null) 
    .setHttpRequestInitializer(credential).build(); 
    return service; 
}

On this line:

Group googleGroup = directory.groups().insert(group).execute(); 

I get the following error:

com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
{
  "code" : 403,
  "errors" : [ {
    "domain" : "global",
    "message" : "Not Authorized to access this resource/api",
    "reason" : "forbidden"
  } ],
  "message" : "Not Authorized to access this resource/api"
}

What do I need to do to authenticate?

Answer 1

It's now working. One of the issues causing the 403 turned out to be that I was trying to create a group using a domain that doesn't match my GSuite domain in this line:

group.setEmail("myemail@domain.com");

You may also have to follow this Google guide to enable access for a 3rd party app:

Control access to less secure apps