Google Adminsdk Directory API access

问题

I am trying to get the list of chrome devices registered with the specified customer Id.

I have done the following Steps.

1. Enabled Google Admin Directory API
2. Created Service Account and downloaded the jwt.json file for connectivity.
3. Enabled the Domain wide G-Suite Delegation previlige.

4. Registered this client id as authorized API client Thru Google Admin(Manage API client access)

   Client Id : our clientid API Scope: View and manage your Chrome OS devices' metadata https://www.googleapis.com/auth/admin.directory.device.chromeos View your Chrome OS devices' metadata https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly Next I used my Node module to Generate the JWT access

Token is created Successfully.

{"access_token":"ya29.c.KpEB****K*********lufaGlx5k********hvAdADxBhOA****8R3rnTPKKnVb97sdPFG66wHy4FPrnx6KskafKXrBBfEgILdDelP-n5irpKm5h8y8oBWHO*******Xg","token_type":"Bearer","expiry_date":1587150649000,"refresh_token":"jwt-placeholder"}

Now i am trying to use this Bearer toke to access the following API

https://www.googleapis.com/admin/directory/v1/customer/ourcustomerid/devices/chromeos

This is always giving the following error.

{
  "error": {
    "errors": [{
      "domain": "global",
      "reason": "forbidden",
      "message": "Not Authorized to access this resource/api"
    }],

    "code": 403,
    "message": "Not Authorized to access this resource/api"
  }
}

Not sure what is the issue.

回答1:

Its working after adding Impersonated users email address... Originally it was

const jwtAuth = new google.auth.JWT(
            quickstart.client_email,
            null,
            quickstart.private_key,
            [
                'https://www.googleapis.com/auth/admin.directory.device.chromeos',
                'https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly'
            ]
);

Then I have added the subject as impersonated users email address.

const jwtAuth = new google.auth.JWT(
            quickstart.client_email,
            null,
            quickstart.private_key,
            [
                'https://www.googleapis.com/auth/admin.directory.device.chromeos',
                'https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly'
            ],
            'email address of the impersonated user',
);

来源：https://stackoverflow.com/questions/61279055/google-adminsdk-directory-api-access