Google Directory API returns not authorized for users().patch().execute()

Question

I'm following https://aws.amazon.com/blogs/security/how-to-set-up-federated-single-sign-on-to-aws-using-google-apps/ and attempting to set up a script to patch my Google users with SSO AWS roles.

Using the scope listed at https://developers.google.com/admin-sdk/directory/v1/reference/users/patch , I've authenticated properly and have confirmed by doing a simple:

service.users().list(customer='my_customer', maxResults=10, orderBy='email').execute()

This returns successfully with a list of users. However, when I try to execute a patch query with:

service.users().patch(body=body, userKey=user_email).execute()

The response is "Not Authorized to access this resource/api".

Is this endpoint special in some way? It appears the only way to successfully access this resource is by authenticating with a super admin account, which I would prefer not to do.

Teyam Teyam · Accepted Answer · 2016-10-26T07:13:22

Please note that it was mentioned in Directory API: Authorize Requests that,

Your application must use OAuth 2.0 to authorize requests. No other authorization protocols are supported. If your application uses Google Sign-In, some aspects of authorization are handled for you.

With this, I suggest that you use Authorizing requests with OAuth 2.0.

You may also check other possibilities why such error can be encountered from these SO posts:

Google_Service_Directory - (403) Not Authorized to access this resource/api

The root of the problem is that the service account is not an administrator on the domain, so it cannot access the Admin SDK Directory API. Instead, you need to enable domain-wide delegation for your service account, and then have the service account impersonate a domain admin when it makes the request.
Google Directory API returns Not Authorized when call users().list().execute()

Hope that helps!

Google Directory API returns not authorized for users().patch().execute()

1 Answers