I am creating a service in the Google Apps marketplace which needs the ability to pull down a list of all user accounts in a Google Apps domain. It appears that to use a Service Account with the Admin SDK, you must specify a "sub" (a user who you are acting on behalf of).
My code works just fine if you already know a domain admin's address to put in the "sub" field, since my OAuth token is accepted across the entire Google Apps domain. However, this service doesn't know a domain admin's e-mail address, and I don't really want to ask the user for one and pin against it, because it might change without warning.
Does anyone know of a way to query the user directory without having to already know an admin e-mail address to "act as"?
from apiclient.discovery import build
from oauth2client.client import SignedJwtAssertionCredentials
PRIVATE_KEY = "privatekey.p12"
SERVICE_ACCOUNT = "(removed)@developer.gserviceaccount.com"
SCOPE = "https://www.googleapis.com/auth/admin.directory.user.readonly"
# Read in key file
key_file = file(PRIVATE_KEY, 'rb')
key = key_file.read()
key_file.close()
credentials = SignedJwtAssertionCredentials(service_account_name=SERVICE_ACCOUNT,
private_key=key,
scope=SCOPE,
# What if I don't already know the
# e-mail address of an admin?
sub="[email protected]")
# Authorize the httplib2.Http object
http = httplib2.Http()
http = credentials.authorize(http)
service = build('admin', 'directory_v1', http=http)
service.users().list(domain="mattslifebytes.com",
fields="users(primaryEmail,thumbnailPhotoUrl)").execute()
