[英]Received error “Not Authorized to access this resource/api” when trying to use Google Directory API and Service Account Authentication
I'm really struggling with trying to use Service Account authentication to use the Google Directory API (Admin SDK). 我真的很难尝试使用服务帐户身份验证来使用Google Directory API(Admin SDK)。
Using client based three legged OAuth this works (tested here - https://developers.google.com/admin-sdk/directory/v1/reference/members/insert ) but there's a problem with the permission delegation to the service account I am using. 使用基于客户端的三脚架OAuth可以正常运行(在此处测试 - https://developers.google.com/admin-sdk/directory/v1/reference/members/insert )但是我对服务帐户的权限委派存在问题使用。 Under the Google Apps administration, I enabled using APIs and added the service account to the list of allowed OAuth clients as instructed. 在Google Apps管理下,我启用了API,并按照说明将服务帐户添加到允许的OAuth客户端列表中。
Here is the code: 这是代码:
import httplib2
import sys
from apiclient.discovery import build
from oauth2client.client import SignedJwtAssertionCredentials
credentials = SignedJwtAssertionCredentials(
'<KEY>@developer.gserviceaccount.com',
'<KEY DATA>',
scope='https://www.googleapis.com/auth/apps.groups.settings https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.group.member'
)
http = httplib2.Http()
http = credentials.authorize(http)
service = build("admin", "directory_v1", http=http)
groups = service.groups()
g = groups.get(groupKey="<GROUP NAME>").execute()
Eventually, I get the following error: 最终,我收到以下错误:
apiclient.errors.HttpError: <HttpError 403 when requesting https://www.googleapis.com/admin/directory/v1/groups/<GROUP NAME>?alt=json returned "Not Authorized to access this resource/api">
I tried using the following API as well: 我也尝试使用以下API:
service = build("groupssettings", "v1", http=http)
But this returns an error as well - "Backend Error". 但这也会返回错误 - “后端错误”。
Even though you're using a Service Account you still need to act on behalf of a Google Apps user in the instance that has the proper admin permissions. 即使您使用的是服务帐户,您仍需要代表具有适当管理权限的实例中的Google Apps用户。 Try doing: 尝试做:
credentials = SignedJwtAssertionCredentials(
'<KEY>@developer.gserviceaccount.com',
'<KEY DATA>',
scope='https://www.googleapis.com/auth/apps.groups.settings https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.group.member',
sub='super-admin@yourdomain.com'
)
where super-admin@yourdomain.com is a super administrator in your Google Apps account. super-admin@yourdomain.com是您的Google Apps帐户中的超级管理员。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.