Try something like:
require 'google/api_client'
## Email of the Service Account #
SERVICE_ACCOUNT_EMAIL = '<some-id>@developer.gserviceaccount.com'
## Email account of the Admin User ##
ADMIN_EMAIL = 'your-google-admin@yourdomain.com'
## Path to the Service Account's Private Key file #
SERVICE_ACCOUNT_PKCS12_FILE_PATH = '/path/to/<public_key_fingerprint>-privatekey.p12'
##
# Build an Admin SDK client instance authorized with the service account
# that acts on behalf of the given user.
#
# @param [String] user_email
# The email of the user.
# @return [Google::APIClient]
# Client instance
def build_client(user_email)
key = Google::APIClient::PKCS12.load_key(SERVICE_ACCOUNT_PKCS12_FILE_PATH, 'notasecret')
asserter = Google::APIClient::JWTAsserter.new(SERVICE_ACCOUNT_EMAIL,
'https://www.googleapis.com/auth/admin.directory.group.readonly', key)
client = Google::APIClient.new
client.authorization = asserter.authorize(ADMIN_EMAIL)
client
end
this is roughly adapted from the Google Drive Domain-Wide authorization document. When using Service Accounts with the Admin SDK Directory API, you still need to impersonate an admin user.