Reputation: 141
Google Directory API - 403 [Not Authorized to access this resource/api] for Method: roles.list
I am using Google Directory API .NET Client to fetch a list of roles in a domain (https://developers.google.com/admin-sdk/directory/reference/rest/v1/roles/list).
I use a service account to authenticate on behalf of a user to create the Directory Service. Here is my code:
var initializer = new BaseClientService.Initializer
{
ApplicationName = "GoogleConnector",
HttpClientInitializer = new ServiceAccountCredential(
new ServiceAccountCredential.Initializer(connectionDetails.ClientEmail) { User = connectionDetails.UserId, Scopes = scopes }.FromPrivateKey(connectionDetails.PrivateKey)
)
};
var service = new DirectoryService(initializer);
var roles = await service.Roles.List("my_customer").ExecuteAsync();
Now, it works fine without any issues when the user being used for impersonation has a Super Admin role assigned to it. However, providing a Super Admin role to this user is not feasible. When I remove the Super Admin role, assign the following roles:
- User Management
- Groups Reader
- Service Admin
Also, the next request scopes have been added:
- https://www.googleapis.com/auth/admin.directory.rolemanagement
- https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly
The api starts failing with the below error:
Not Authorized to access this resource/
api [403] Errors [ Message[Not Authorized to access this resource/api] Location[ - ] Reason[forbidden] Domain[global] ]
EDIT (after the comment about missing delegation to a domain user)
I have provided domain-wide delegation to the client application (since I am using a service account, following the guide) with all the required scopes:
Also, all other API works fine. I am using groups.list and users.list methods without any issues. Those return the results as usual.
The issue only is with the roles.list method.
Any help is appreciated.
Upvotes: 0
Views: 126
Answers (1)
Reputation: 117254
You need to pass the full credentials.json as well as an admin user with access. This is my sample for creating a user you should just be able to change the scope and the method it calls.
using Google.Apis.Auth.OAuth2;
using Google.Apis.Admin.Directory.directory_v1;
using Google.Apis.Services;
Console.WriteLine("Hello, Google Calendar Workspace sample!");
var scopes = new[] { DirectoryService.Scope.AdminDirectoryUser };
const string workspaceAdmin = "[email protected]";
const string credentials = @"C:\Development\Credentials\workspaceserviceaccount.json";
var credential = GoogleCredential.FromFile(credentials).CreateScoped(scopes).CreateWithUser(workspaceAdmin);
var services = new DirectoryService(new BaseClientService.Initializer()
{
HttpClientInitializer = credential,
});
var request = services.Users.List();
request.Customer = "my_customer";
request.MaxResults = 10;
request.OrderBy = UsersResource.ListRequest.OrderByEnum.Email;
var results = request.Execute();
var users = results.UsersValue;
if (users.Count == 0)
{
Console.WriteLine("No Users");
return;
}
Console.WriteLine("Users:");
foreach (var user in users)
{
Console.WriteLine($"{user.PrimaryEmail} ({user.Name.FullName})");
}
Upvotes: 0
Related Questions
- How do I remedy "The breakpoint will not currently be hit. No symbols have been loaded for this document." warning?
- Service account not Authorized to access this resource/api while trying to access directory api though Domain-Wide Delegation Enabled
- code": 403, "message": "Not Authorized to access this resource/api
- Not Authorized To Access This Resource/API (GCP)
- Google SDK API - update Workspace user profile data by service account (Not Authorized to access this resource/api)
- Integrating with Google Admin SDK in C#
- Google Directory API: Unable to access User/Group endpoints using Service Account (403)
- How to authorise a service account to access the Google Admin API
- Adding Group using Google Admin Directory API - 403 Not Authorized to Access this Resource/API