1. 技术文章
  2. 403 error from Google Admin SDK with AppAssertionCredentials

403 error from Google Admin SDK with AppAssertionCredentials

大城市里の小女人 提交于 2019-12-11 04:25:40

问题


I'm trying to list users via Google admin directory API.

import logging
import os

from google.appengine.api import memcache
from googleapiclient import discovery
from oauth2client.contrib.appengine import AppAssertionCredentials

import httplib2

from flask import Flask


credentials = AppAssertionCredentials(scope='https://www.googleapis.com/auth/admin.directory.user')
auth_http = credentials.authorize(httplib2.Http(cache=memcache))
service = discovery.build('admin', 'directory_v1', http=auth_http)    

@app.route('/list')
def list():
    results = service.users().list(domain='example.com', maxResults=10, orderBy='email').execute()
    return 'success'

app = Flask(__name__)

I'm running this in App Engine and have enabled domain-wide delegation for App Engine default service account, as instructed in https://developers.google.com/api-client-library/python/auth/service-accounts

This is the error I'm getting: HttpError: https://www.googleapis.com/admin/directory/v1/users?orderBy=email&domain=example.com&alt=json&maxResults=10 returned "Not Authorized to access this resource/api">


回答1:


Follow the steps indicated in Delegating domain-wide authority to the service account:

Then, an administrator of the G Suite domain must complete the following steps:

  1. Go to your G Suite domain’s Admin console.
  2. Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls. If you can't see the controls, make sure you're signed in as an administrator for the domain.
  3. Select Show more and then Advanced settings from the list of options.
  4. Select Manage API client access in the Authentication section.
  5. In the Client Name field enter the service account's Client ID. You can find your service account's client ID in the Service accounts page.
  6. In the One or More API Scopes field enter the list of scopes that your application should be granted access to. For example, if your application needs domain-wide access to the Google Drive API and the Google Calendar API, enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar.
  7. Click Authorize.

Make sure your service account is set to Administrator.



来源:https://stackoverflow.com/questions/42243221/403-error-from-google-admin-sdk-with-appassertioncredentials

标签
python
google-app-engine
google-admin-sdk
google-directory-api
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!