How can I get assigned custom roles of a G Suite user from Google API?

Question

I have an internal app, that the users should be able to log in to using our company G Suite credentials. I've made a couple of custom roles in G Suite, which I plan to use in the app to determine what they can do there.

I'm using Passport to make the OAuth2 calls and the scope I'm using is as follows:

scope: [
  'email',
  'https://www.googleapis.com/auth/userinfo.profile',
  'https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly'
]

The last one on the list grants me access to list all the roles of the logged in user inside my app.

I then make a call to https://www.googleapis.com/admin/directory/v1/customer/<MY_CUSTOMER_ID>/roleassignments?userKey=<MY_USER_ID> and get a list of roles that the user has assigned to them.

The problem is that if I use my Super Admin user everything works great, but when using a test user that has no super admin privileges, I get the following from Google API:

{
  errors: [
    {
      domain: 'global',
      reason: 'forbidden',
      message: 'Not Authorized to access this resource/api'
    }
  ],
  code: 403,
  message: 'Not Authorized to access this resource/api'
}

I'm pretty sure I need to grant some access to the custom role created in G Suite, but I can't figure out how to do that. I've tried ticking everything in the Role Admin Privileges view, but nothing works. Only if I give my test account Super Admin privileges, does the call to Google API work.

Answer 1

After a bit of investigation, apparently it's not possible to do it like this.

For some reason, the user can't get his/her own custom roles even when authenticated. So I had to create a Service Account and have that impersonate a user with admin rights to get the role assignments.