Google Admin SDK 403 Not Authorized to Access this Resource/API

Question

I use the following code in a java web application to try to get all users of a group:

GoogleCredential credential = GoogleCredential.fromStream(Util.class.g         


        

Answer 1

For now, I am just using the p12 file as outlined here:

https://developers.google.com/admin-sdk/directory/v1/guides/delegation

If anyone knows of a way to execute the code in this question with a json file, feel free to comment/answer.

Answer 2

As JSON credentials is not supported serviceAccountUser I've done workaround: make credential copy.

See code here: https://stackoverflow.com/a/42313446/548473

Answer 3

Here's the solution by setting the admin email with a JSON file:

import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.services.admin.directory.Directory;
import com.google.api.services.admin.directory.DirectoryScopes;
import static com.google.api.client.googleapis.util.Utils.getDefaultJsonFactory;
import static com.google.api.client.googleapis.util.Utils.getDefaultTransport;
// ...

String ADMIN_EMAIL = "admin@company.com";
String jsonConfigFile = "/GSuite Integration.json";
List<String> scopes = Arrays.asList(DirectoryScopes.ADMIN_DIRECTORY_USER, DirectoryScopes.ADMIN_DIRECTORY_USERSCHEMA_READONLY);

GoogleCredential credential;
try (InputStream is = CredentialsWorkaroundTest.class.getResourceAsStream(jsonConfigFile)) {
    credential = GoogleCredential.fromStream(is)
        .createDelegated(ADMIN_EMAIL)
        .createScoped(scopes);
}

Directory service = new Directory.Builder(getDefaultTransport(), getDefaultJsonFactory(), credential)
        .setApplicationName(APPLICATION_NAME)
        .build();

(Domain-wide delegation is not required)

Note - using google-api-client version 1.28.0

Answer 4

As suggested by this answer to a related question, including the sub (subject, I think) to indicate the email address of a delegated admin in your Google Apps account is a necessary step for the API calls to work. That delegated admin will also probably need to be authorized to access/modify the data or endpoints you are calling. Since my experience has been with the PHP client, not Java, I don't know the specifics of how you will provide that email address to the Java classes in use in your example.