Google-api-nodejs-client: Directory API: Not Authorized to access this resource/api

@nicholasc I believe the scope for list might be:

https://www.googleapis.com/auth/admin.directory.user.security

can you give this a shot?

It did not work.

The url used by the library is

https://www.googleapis.com/admin/directory/v1/groups

Based on the API Reference the scope for that url is

https://www.googleapis.com/auth/admin.directory.group

I too face the same problem when trying to manage the G Suite users using service account credential, but hitting the same problem

@nicholasc I work on the GCP client libraries team, which is a few steps away from the Gmail API. I've added the bug label, and we will make an effort to dig into this when possible, but:

It might also be worth following the directions here to get help with the gmail API, just in case someone on stack overflow knows an immediate solution to your problem.

Hello @bcoe .

I appreciate that this will be looked into as I am still facing this issue. I've temporarily resorted to a manual list of our users but I don't see this as a viable solution long term.

Thank you for referring me to the Gmail API help section. However, this is not related to the Gmail API, which I have been able to use with a service account, but with the Directory API within the Admin SDK. I went here and looked for similar issue on stack overflow but haven't been able to find much of anything.

Again, thank you.

Found relevant issue on the Admin SDK Bug issue tracker:
https://issuetracker.google.com/issues/113755665

No real solution at the moment.

@nicholasc, thanks for pointing out the issue tracker. The solution there was to use a legit admin user's account which is not a viable solution. This is also occurring in the java API at the moment. @bcoe Is there any other possible way to determine which groups a user belong to using service account authentication?

Seeing the same issue. Have Domain Wide Delegation enabled and added the scopes for the client in Admin.

I have the same issue, I gave my service accounts all the authorization in GSuite Admin and gave him the right scopes with domain wide delegation and I'm facing the same error. FYI, I use a server to server oauth scheme (JWT).

@nicholasc I believe the scope for list might be:

https://www.googleapis.com/auth/admin.directory.user.security

can you give this a shot?

Thanks a lot. This scope fixed my problem.

@SqiSch could you share a brief snippet of code, demonstrating the approach you're taking. I wonder why this scope did not solve @nicholasc's issue for them.

Didn't solve mine either. I've given up and am using something else. Requiring human interaction via OAuth to access google groups (or not publishing what is needed) is silly. Last thing I need to do is grant full admin rights to Mechanical Turk and pay someone to be an API.

The same issue. Didn't solve mine either.
I'm trying to create new user with service account credentials.

const { google } = require('googleapis');

const key = require('./sa.json');
const ADMIN_API = google.admin('directory_v1');
const SCOPES = [
    'https://www.googleapis.com/auth/admin.directory.user',
    'https://www.googleapis.com/auth/admin.directory.user.security',
];

const auth = new google.auth.JWT(
    key.client_email,
    null,
    key.private_key,
    SCOPES,
);

ADMIN_API.users
    .insert({
        auth,
        resource: {
            name: {
                familyName: 'John',
                givenName: 'Doe',
            },
            password: '1qaZXsw2',
            changePasswordAtNextLogin: true,
            primaryEmail: '[email protected]',
        },
    })
    .then((data) => {
        console.log(data);
    })
    .catch((error) => {
        console.log(error);
    });

Versions:

• "googleapis": "48.0.0"

I'm running into the same issue
GET https://www.googleapis.com/admin/directory/v1/[email protected] gets me

{
 "error": {
  "errors": [
   {
    "domain": "global",
    "reason": "forbidden",
    "message": "Not Authorized to access this resource/api"
   }
  ],
  "code": 403,
  "message": "Not Authorized to access this resource/api"
 }
}

When using the scopes of:

https://www.googleapis.com/auth/admin.directory.group.readonly

AND with

https://www.googleapis.com/auth/admin.directory.group.member.readonly 
https://www.googleapis.com/auth/admin.directory.group.readonly 
https://www.googleapis.com/auth/admin.directory.user.readonly 
https://www.googleapis.com/auth/admin.directory.user.security 

It's also failing from https://developers.google.com/admin-sdk/directory/v1/reference/groups/list in the API trial sidebar

The issue appears to be that the user is not an admin, and thus cannot access the admin sdk:
https://stackoverflow.com/a/26469289/12958

On second thought, this does not make sense to me. If I was able to create an access token with the given scopes this should be all I need to look at _my_ groups at least.

I had the same problem.
As mentioned on google issue tracker, I impersonated an admin account with a Domain-wide Delegation
service account.

EDIT: Forgot to mention, it solved the problem

Is there already a solution for this? I am facing the same problem with indeed a Service account with a Domain-wide Delegation

Is there already a solution for this? I am facing the same problem with indeed a Service account with a Domain-wide Delegation

Yes @sanderisbestok you may refer this https://stackoverflow.com/questions/56636523/instantiate-an-admin-sdk-directory-service-object-with-nodejs. Thing here is, need also to pass 'subject'.

Hey guys,

I solved my issue by bypassing the google api nodejs client, using my following code:

const jwt       = require('jsonwebtoken');
const keys      = require('./jwt.keys.json');
const fetch     = require("node-fetch");

const createJwt = (projectId, algorithm) => {
    // Create a JWT to authenticate this device. The device will be disconnected
    // after the token expires, and will have to reconnect with a new token. The
    // audience field should always be set to the GCP project id.
    const token = {
      iss: keys.client_email,
      scope: "your scopes",
      iat: parseInt(Date.now() / 1000),
      exp: parseInt(Date.now() / 1000) + 60 * 60, // 20 minutes
      aud:"https://oauth2.googleapis.com/token",
      sub: "account for DWD" // here you need to put the account used for domain delegation
    };
    const privateKey = keys.private_key; // load the private key of your SA 
    return jwt.sign(token, privateKey, {algorithm: algorithm});
  };

function getOauthBearer(token, callback){
     // this method will return the oauth bearer so you can use it when calling Admin API
    let options = {
      method: 'POST',
      headers: {
        'Content-Type': 'application/x-www-form-urlencoded'
      },
      body: "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=" + token
    }

    const BASE_URL = 'https://oauth2.googleapis.com/token'
    fetch(BASE_URL, options)
    .then(response => response.json())
    .then(json=> {
      callback(json.access_token);
    })    
    .catch(err => console.error(err))
}

export function yourFunction(param1, ... , callback) {
  let token = createJwt(keys.project_id, 'RS256');
  getOauthBearer(token, body => {
    const url   = "your Google directory API URL"
    const headers = {
        method: 'GET',
        headers:{
            'Authorization': 'Bearer ' + body
        }
    };

    fetch(url, headers)
    .then(response => response.json())
    .then(json=> {
      callback(json);
    }) 
    .catch((error) => console.error(error))
  });
}

There you go, tell me if it worked for you !

@tchimih How is that bypassing the directory api? It seems like its still calling the same api? I think what we're seeing is that it depends on what "account for DWD" you are using. You need to make the call with the correct account to be able to get results.

@justinmchase sorry for my mistake. I meant by bypassing the google nodejs client. I think you need to specify when the service account is created the dwd account used. That's what I did and it worked for me.

I used to have the same error.

I'm having a similar issue. Could someone clarify. Does the account that creates the Service account need to be an Admin on the Domain?

For example:

• I am a developer my company but do not have admin access.
• I have created a service account and downloaded the keys etc.
• Instantiated a node.js auth object like this:

const auth = new google.auth.GoogleAuth({
  keyFile: process.env.GOOGLE_APPLICATION_CREDENTIALS,
  scopes: ['https://www.googleapis.com/auth/admin.directory.user'],
});

• I provided the service account email to a domain admin to add to the service accounts in Security > APIs > Service accounts with the scope of https://www.googleapis.com/auth/admin.directory.user

However when I then try to call the API via the node client I get the 403 error.

Does my service account need to be created by a Google Admin?

I'm having a similar issue. Could someone clarify. Does the account that creates the Service account need to be an Admin on the Domain?

For example:

• I am a developer my company but do not have admin access.
• I have created a service account and downloaded the keys etc.
• Instantiated a node.js auth object like this:

const auth = new google.auth.GoogleAuth({
  keyFile: process.env.GOOGLE_APPLICATION_CREDENTIALS,
  scopes: ['https://www.googleapis.com/auth/admin.directory.user'],
});

• I provided the service account email to a domain admin to add to the service accounts in Security > APIs > Service accounts with the scope of https://www.googleapis.com/auth/admin.directory.user

However when I then try to call the API via the node client I get the 403 error.

Does my service account need to be created by a Google Admin?

Try this... https://github.com/googleapis/google-api-nodejs-client/issues/1884#issuecomment-625062805

I am also experiencing this problem using the Python client libraries. I am using the following code to try to suspend an account but am getting the same error that everyone here is reporting.

from google.oauth2 import service_account
from googleapiclient import discovery

SCOPES = [
    'https://www.googleapis.com/auth/admin.directory.user',
    'https://www.googleapis.com/auth/admin.directory.user.security',
]


service_account_json_key = {
  "type": "service_account",
  "project_id": "[REDACTED]",
  "private_key_id": "[REDACTED]",
  "private_key": "[REDACTED]",
  "client_email": "[REDACTED]",
  "client_id": "[REDACTED]",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "[REDACTED]"
}

credentials = service_account.Credentials.from_service_account_info(
    service_account_json_key, 
    scopes=SCOPES,
)

service = discovery.build('admin', 'directory_v1', credentials=credentials)

resp = service.users().patch(
    userKey='[email protected]',
    body={
        'suspended': True,
    },
).execute()

print(dir(resp))

As you can see, I have tried adding the scope described earlier. I have also enabled domain-wide delegation.

@arcrose

Try:

...
credentials = service_account.Credentials.from_service_account_info(
    service_account_json_key, 
    scopes=SCOPES,
)
credentials = credentials.with_subject('[email protected]')
....

Thank you for the suggestion @gustavopergola. I've tried adding a subject containing both my own GSuite user email address (which is not an admin) as well as that of an admin who has access to the service account I am using. In both cases I receive the following error:

google.auth.exceptions.RefreshError: ('unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.', '{\n "error": "unauthorized_client",\n "error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."\n}')

I should also note that, after the two lines you listed above, printing both credentials.expired and credentials.valid print False.

I've also taken note of the fact that domain-wide delegation has been disabled and I am unable to re-enable it.

It turns out that my assumption was correct unless a maintainer could clarify otherwise. The only users able to access the Admin SDK must be an Admin / Superuser of the Domain or a registered Google Reseller.

As others have mentioned, you also need to provide the subject for JWT which must be the email of the admin who created the Service Account.

I was able to connect with the following example:

const auth = new google.auth.JWT({
  keyFile: KEYFILE_GENERATED_BY_ADMIN,
  scopes: ['https://www.googleapis.com/auth/admin.directory.user.readonly'],
  subject: ADMIN_EMAIL,
});

But not able to connect with the following example:

const auth = new google.auth.JWT({
  keyFile: KEYFILE_GENERATED_BY_THIRD_PARTY,
  scopes: ['https://www.googleapis.com/auth/admin.directory.user.readonly'],
  subject: THIRD_PARTY_EMAIL,
});

I don't know if others are trying to connect as effectively a third party developer and running into this issue. The docs could be a lot more explicit if this the expected behaviour?

Hope it helps others.

@mathewtrivett's suggestion actually worked perfectly on my side.

For those who want to use the GoogleAuth constructor instead of JWT to use Application default credentials, you can use:

  const auth = new google.auth.GoogleAuth({
    scopes: ["https://www.googleapis.com/auth/admin.directory.group"],
  });

  const authClient = await auth.getClient();
  authClient.subject = ADMIN_EMAIL;
  return google.admin({ version: "directory_v1", auth: authClient });

See issue #1699 .

⚠️ EDIT: This did not work on Google Cloud Function because GoogleAuth() uses Compute() when running in the cloud instead of JWT(). See the note here. I've had to revert to @mathewtrivett method from above which is too bad because application default credentials make everything easier. My only guess for why this is would be that Compute() doesn't handle the subject setting the same way as JWT(). It maybe be possible to still use application default credentials by forcing the type as show here however I haven't tried.

It turns out that my assumption was correct unless a maintainer could clarify otherwise. The only users able to access the Admin SDK must be an Admin / Superuser of the Domain or a registered Google Reseller.

The note at the bottom of this section of the documentation seems to confirm this.

Hello. I am also having the same issue. I am trying to gather a list of users from gsuite to google sheets but when trying to gather the list of users, i get the following error:

_GoogleJsonResponseException: API call to directory.groups.list failed with error: Not Authorized to access this resource/api (line 28, file "1_listAllGroupMembers")_

I have checked with the admin of gsuite and he did add me as an admin but on admin.google.com I can see the users but cannot add new ones for example, could it be that I am not admin in reality?

Appreciate your help with this :)