I finally got this to work using a service account. I did have to grant 3rd party access as Emily Lam suggested, but by a different means:
- Log in to admin console
- Security -> Advanced settings -> Authentication -> Mange third party OAuth Client access
- Authorize a new client by setting the
Client Name
to the Client ID of the service account, and the the API scope to whatever you need from the Admin SDK (e.g.,https://www.googleapis.com/auth/admin.directory.group
)
The other thing I needed to do was make sure my request was being made on behalf on an administrative user. Using the PHP API, setting up the credentials object looks like this:
$cred = new Google_Auth_AssertionCredentials(
$clientEmail,
'https://www.googleapis.com/auth/admin.directory.group',
file_get_contents($keyFile));
$cred->sub = 'admin@example.com';
Now I am able to successfully make calls using the Google_Service_Directory
class.