[英]Google service account can't impersonate GSuite user
from google.oauth2 import service_account
import googleapiclient.discovery
SCOPES = ['https://www.googleapis.com/auth/calendar']
SERVICE_ACCOUNT_FILE = 'GOOGLE_SECRET.json'
credentials = service_account.Credentials.from_service_account_file(
SERVICE_ACCOUNT_FILE, scopes=SCOPES)
delegated_credentials = credentials.with_subject('address@example.com')
google_calendar = googleapiclient.discovery.build('calendar', 'v3', credentials=delegated_credentials)
events = google_calendar.events().list(
calendarId='address@example.com',
maxResults=10
).execute()
上述代码的结果是:
google.auth.exceptions.RefreshError: ('unauthorized_client: Client is unauthorized to retrieve access tokens using this method.', '{\n "error" : "unauthorized_client",\n "error_description" : "Client is unauthorized to retrieve access tokens using this method."\n}')
Domain-wide delegation已开启。 服务帐号客户端 ID 在 GSuite 中获得了适当范围的授权。
服务帐户适用于普通凭据。 它仅不适用于委派凭据。
我在我们的域中尝试了不同的 API(范围)和不同的用户。
我让一位同事尝试从头开始编写一个样本,他得到了同样的结果。
我认为您的问题是您在调用Calendar API之前没有授权您的凭据,但是我在自己的实现中使用了一些差异
使用以下导入语句
from oauth2client.service_account import ServiceAccountCredentials from apiclient import discovery在构建服务时授权凭据并将其作为http参数传递
尝试对您的代码进行此修改:
from apiclient import discovery
from oauth2client.service_account import ServiceAccountCredentials
import httplib2
SCOPES = ['https://www.googleapis.com/auth/calendar']
SERVICE_ACCOUNT_FILE = 'GOOGLE_SECRET.json'
credentials = ServiceAccountCredentials.from_json_keyfile_name(
SERVICE_ACCOUNT_FILE, scopes=SCOPES)
# Use the create_delegated() method and authorize the delegated credentials
delegated_credentials = credentials.create_delegated('address@example.com')
delegated_http = delegated_credentials.authorize(httplib2.Http())
google_calendar = discovery.build('calendar', 'v3', http=delegated_http)
events = google_calendar.events().list(
calendarId='address@example.com',
maxResults=10
).execute()
我还建议在您的 API 调用中设置calendarId='primary' ,以便您始终返回您当前已为其委派凭据的用户的主日历。
有关使用ServiceAccountCredentials进行身份验证的更多信息,请参阅以下链接: http : //oauth2client.readthedocs.io/en/latest/source/oauth2client.service_account.html
GCP:允许服务帐户模拟具有 Google Analytics 范围的用户帐户
[英]GCP: Allow Service Account to Impersonate a User Account with Google Analytics Scopes
通过Google App Engine上的Google Drive服务帐户访问来模拟用户
[英]Google Drive Service Account Access on Google App Engine to Impersonate Users
AppEngine上的AppAssertionCredentials:如何模拟用户帐户?
[英]AppAssertionCredentials on AppEngine: how to impersonate user account?
如何验证我的 Cloud Run 服务以访问 G Suite 用户的 Gmail 消息?
[英]How can I authenticate my Cloud Run service to access a GSuite user's gmail messages?
无法重命名服务器上的文件,然后通过服务帐户上传到谷歌驱动器 API
[英]Can't rename file on server, then upload onto google drive API via service account
服务帐户无法使用域范围委派连接到 Google 表格
[英]Service account can't connect to a Google Sheet using domain wide delegation
Google Cloud - 如何在应用程序代码中对用户而不是服务帐户进行身份验证?
[英]Google Cloud - How to authenticate USER instead of a service account in app code?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.