google admin sdk directory api 403 python

https://stackoverflow.com/questions/20704925

20-09-2022
|

Question

i want to use admin sdk directory api to create eamil account of users.

i am using google-api-python-client-1.2 library.

in folder /samples/service_account/tasks.py works for me.

but when i chance that file to list users from admin directory api it doesn't works and throws errors.

below is the code i am using.

import httplib2
import pprint
import sys
import inspect

from apiclient.discovery import build
from oauth2client.client import SignedJwtAssertionCredentials
def main(argv):
    f = file('my-privatekey.p12', 'rb')
    key = f.read()
    f.close()

   credentials = SignedJwtAssertionCredentials(
      'my@developer.gserviceaccount.com',
      key,
      scope=['https://www.googleapis.com/auth/admin.directory.user', 'https://www.googleapis.com/auth/admin.directory.user.readonly'])
   http = httplib2.Http()
   http = credentials.authorize(http)

   service = build("admin", "directory_v1", http)
   list_of_apis = service.users().list(domain='mydomain.com').execute(http=http)
   pprint.pprint(list_of_apis)
if __name__ == '__main__':
      main(sys.argv)

when i run the above code i get below errors.

$python tasks.py 
No handlers could be found for logger "oauth2client.util"
Traceback (most recent call last):
  File "tasks.py", line 77, in <module>
    main(sys.argv)
  File "tasks.py", line 66, in main
    list_of_apis = service.users().list(domain='messycoders.com').execute(http=http)
  File "/usr/local/lib/python2.7/dist-packages/oauth2client/util.py", line 132, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/apiclient/http.py", line 723, in execute
    raise HttpError(resp, content, uri=self.uri) apiclient.errors.HttpError: <HttpError 403 when requesting https://www.googleapis.com/admin/directory/v1/users?domain=messycoders.com&alt=json returned "Not Authorized to access this resource/api">

Solution

Try:

   credentials = SignedJwtAssertionCredentials(
      'my@developer.gserviceaccount.com',
      key,
      sub='superadmin@mydomain.com',
      scope=['https://www.googleapis.com/auth/admin.directory.user',])

You don't need both scopes, use readonly if you're doing read operations only, use the above if you're doing read and write.

sub= defines which Google Apps account the service account should impersonate to perform the directory operations, it's necessary and the account needs to have the right permissions.

Lastly, be sure that you've granted the service account's client_id access to the directory scopes you need in the Control Panel. The steps to do this are listed in the Drive documentation, just sub in the correct scope(s) for Admin Directory.

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow