Reputation: 2489
Accessing Google API from aws lambda : Invalid OAuth scope
I am still struggling with Google's terminology of apis and services but my goal is to have automated functions via aws lambda which act on a G Suite Account (domain?) or more specific on users of this domain.
For now I just want to list all users of that domain. I run this code locally for testing.
What I have done:
- I created a service account
- I downloaded the json key file which contains the private key, private key id and so on
- I enabled G Suite Domain-wide Delegation.
- I delegated domain-wide authority to the service account from the GSuite Account
I added the following scopes for the client in the GSuite Admin Console:
This is the implementation:
const { google } = require("googleapis");
const auth = new google.auth.GoogleAuth({
keyFile: "credentials.json",
scopes:
"https://www.googleapis.com/auth/drive.readonly,https://www.googleapis.com/admin/directory/v1, https://www.googleapis.com/auth/admin.directory.group, https://www.googleapis.com/auth/admin.directory.user",
});
const service = google.admin({ version: "directory_v1", auth });
service.users.list(
{
domain: "my.domain.com",
maxResults: 10,
orderBy: "email",
},
(err, res) => {
if (err) return console.error("The API returned an error:", err.message);
const users = res.data.users;
if (users.length) {
console.log("Users:");
users.forEach((user) => {
console.log(`${user.primaryEmail} (${user.name.fullName})`);
});
} else {
console.log("No users found.");
}
}
);
I am not sure why I have to add the scopes in the GoogleAuth object but I took this from the google documentation.
When I run this I get the following error:
The API returned an error: invalid_scope: Invalid OAuth scope or ID token audience provided.
Upvotes: 0
Views: 2443
Answers (1)
Reputation: 26836
- The Directory API can only be used by admins
- A Service account is not an admin
- If the service account shall act on behalf on the admin, you need to
- enable G Suite Domain-wide Delegation (as you already did)
- impersonate the service account as the admin by setting the user to be impersonated
In general, when you are using a service account you need to build the authentication flow, as explained in the documentation, that is you need to create JSON Web Token (JWT) specifying the user to impersonate.
A sample code snippet for Javascript:
const jwtClient = new google.auth.JWT(
privatekey.client_email,
null,
privatekey.private_key,
scopes,
user // User who will be impersonated (needs to be an admin)
);
await jwtClient.authorize();
return jwtClient;
Upvotes: 1
Related Questions
- Service account initialization failing inside lambda function on AWS Python
- AWS - {lambda function} may not have authorization defined
- How to oAuth Google API from Lambda AWS?
- Lambda function not authorized to perform apigateway:GET
- Google API python credentials OAUTH server-server
- AWS google api authentication
- Google OAuth from AWS lambda
- keyInvalid Error when calling Google Calendar API
- Attempting to Authorize AWS Lambda for Google Calendar API Call without OAuth Consent Screen
- AWS lambda function error