google-admin-sdk - 谷歌目录 API : 403 when retrieving user information with service account

Question

这可能与 Google Directory API returns 403 for user_list with showDeleted=true 有关但不幸的是，我还无法发表评论，也没有答案可以提供。

我收到了 service account从学校的 G Suite 获得许可

https://www.googleapis.com/auth/admin.directory.user.readonly

G Suite 管理员表示他已将域范围的权限委派给该帐户，并且我能够创建服务帐户 JWT 并检索访问 token 以使用 HTTP/REST 流调用 API。但是，当我调用 user get endpoint请求有关帐户的信息 -

https://www.googleapis.com/admin/directory/v1/users/redacted%40redacted.com?projection=full

我收到以下信息:

The remote server returned an error: (403) Forbidden.
{
  "error": {
    "errors": [
      {
        "domain": "global",
        "reason": "forbidden",
        "message": "Not Authorized to access this resource/api"
      }
    ],
    "code": 403,
    "message": "Not Authorized to access this resource/api"
  }
}

我无权访问他们的 G Suite 管理面板，所以我无法在自己周围闲逛，但管理员已确认我们的客户在他能找到的任何地方都可以访问 admin.directory.user.readonly 权限，我们是在具有域范围访问权限的角色中，如上所述。我愿意接受有关管理员可能缺少分配权限的地方的建议，或者我的方法中可能缺少的任何内容(尽管 JWT 构建/签名和访问 token 检索似乎按预期工作)。如果我可以提供任何其他有用的信息，请告诉我，我会更新。

更新:帐户的权限似乎是正确的 - 我能够从用户那里检索信息/在 API Explorer 中获取信息。但是，API Explorer 使用的是 URL

https://www.googleapis.com/admin/directory/v1/users/redacted%40redacted.com?projection=full&key={YOUR_API_KEY}

而且我在服务帐户或用户/获取文档中都找不到有关 key 参数的任何文档。我将 access_token 作为不记名 token 包含在规范中定义的身份验证 header 中，当我尝试将其作为 key 查询字符串参数发送时，我仍然收到上面记录的相同 403 错误。 Stack ( Google API Client users().get(userKey='name@domain.com') returns Not Authorized to access this resource/api ) 上有一个类似的问题，没有答案。

Answer 1

没有玩过 Admin SDK，但我建议检查 Perform G Suite Domain-Wide Delegation of Authority因为它侧重于服务帐户的使用。

Delegate domain-wide authority to your service account

The service account that you created needs to be granted access to the G Suite domain’s user data that you want to access. The following tasks have to be performed by an administrator of the G Suite domain:

1. Go to your G Suite domain’s Admin console.
2. Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls.
3. Select Advanced settings from the list of options.
4. Select Manage API client access in the Authentication section.
5. In the Client name field enter the service account's Client ID.
6. In the One or More API Scopes field enter the list of scopes that your application should be granted access to (see image below). For example if you need domain-wide access to Users and Groups enter: https://www.googleapis.com/auth/admin.directory.user,
https://www.googleapis.com/auth/admin.directory.group
7. Click the Authorize button.

Your service account now has domain-wide access to the Google Admin SDK Directory API for all the users of your domain. You are ready to instantiate an authorized Admin SDK Directory service object on behalf of your G Suite domain's users.