Authenticating to the Google Admin Directory API

Question

I'm trying to figure out how to authenticate to the Admin Directory API. My goal is to be able to create new GSuite users.

I have followed this guide https://github.com/jay0lee/GAM/wiki/CreatingClientSecretsFile to setup a client/id secret and service account with Domain-Wide Delegation.

I can successfully get a bearer token, however when I try to make a request to an endpoint I get a 403. I would expect I should be authenticated to this endpoint as I can successfully get all data using GAM, which is using the same credentials.

require 'googleauth'
require 'google/apis/admin_directory_v1'

scope = ["https://www.googleapis.com/auth/admin.directory.user.readonly", "https://www.googleapis.com/auth/admin.directory.user"]

authorizer = Google::Auth::ServiceAccountCredentials.make_creds(
  json_key_io: File.open('service_account.json'),
  scope: scope)

pload = authorizer.fetch_access_token!
token = pload["access_token"]

url = "https://www.googleapis.com/admin/directory/v1/users/my@email.com"
uri = URI.parse(url)
request = Net::HTTP::Get.new(uri)
request.content_type = "application/json"
request["Authorization"] = "Bearer #{token}"

req_options = {
  use_ssl: uri.scheme == "https",
}

response = Net::HTTP.start(uri.hostname, uri.port, req_options) do |http|
  http.request(request)
end

p response #=> <Net::HTTPForbidden 403 Forbidden readbody=true>

Answer 1

修复了服务帐户上的范围，并且一切正常。