google admin directory v1 api groups.list insufficient permission error

StackOverflow https://stackoverflow.com/questions/17724396

Вопрос

I'm trying to authorize with google admin api and list mailing list users. I downloaded a key from api console and did:

require 'google/api_client'
client= Google::APIClient.new(application_name: "myapp", application_version: "0.1")
groups= client.discovered_api('admin', 'directory_v1')
key = Google::APIClient::PKCS12.load_key(Dir['*.p12'].first, 'notasecret')

client.authorization = Signet::OAuth2::Client.new(
  token_credential_uri: 'https://accounts.google.com/o/oauth2/token',
  audience: 'https://accounts.google.com/o/oauth2/token',
  scope: 'https://www.googleapis.com/auth/admin.directory.group.readonly',
  issuer: '123asdf@developer.gserviceaccount.com',
  signing_key: key)
client.authorization.fetch_access_token!

puts client.execute(api_method: groups.users.list, parameters: {}).body

I tried adding groupKey: "mygroup@googlegroups.com" I tried setting domain: "mysite.com" It always results in "insufficient permission"

What more do I have to do to to list users in a group?

Это было полезно?

Решение

Try something like:

require 'google/api_client'

## Email of the Service Account #
SERVICE_ACCOUNT_EMAIL = '<some-id>@developer.gserviceaccount.com'

## Email account of the Admin User ##
ADMIN_EMAIL = 'your-google-admin@yourdomain.com'

## Path to the Service Account's Private Key file #
SERVICE_ACCOUNT_PKCS12_FILE_PATH = '/path/to/<public_key_fingerprint>-privatekey.p12'

##
# Build an Admin SDK client instance authorized with the service account
# that acts on behalf of the given user.
#
# @param [String] user_email
#   The email of the user.
# @return [Google::APIClient]
#   Client instance
def build_client(user_email)
    key = Google::APIClient::PKCS12.load_key(SERVICE_ACCOUNT_PKCS12_FILE_PATH, 'notasecret')
    asserter = Google::APIClient::JWTAsserter.new(SERVICE_ACCOUNT_EMAIL,
        'https://www.googleapis.com/auth/admin.directory.group.readonly', key)
    client = Google::APIClient.new
    client.authorization = asserter.authorize(ADMIN_EMAIL)
    client
end

this is roughly adapted from the Google Drive Domain-Wide authorization document. When using Service Accounts with the Admin SDK Directory API, you still need to impersonate an admin user.

Другие советы

I've had the same problems. I've wrote an example gist which explains how to set it up:

https://gist.github.com/thomaswitt/7468182

Steps are:

  1. Go to Google Cloud Console (https://cloud.google.com/console)
  2. Create Service Account with P12 File
  3. Enable the Admin SDK in APIs.
  4. Create a Project
  5. Create a registered app within this project
  6. Go to section 'Certificate' and generate a key
  7. Download the JSON file as well
  8. Go to the Apps Console > Security > Extended > 3rdPartgy OAuth (https://admin.google.com/AdminHome?#OGX:ManageOauthClients)
  9. Add an API Client. Client name is value of client_id in the JSON file, API Scope is https://www.googleapis.com/auth/admin.directory.user.readonly
Лицензировано под: CC-BY-SA с атрибуция
Не связан с StackOverflow
scroll top