Not able to call directory APIs

0
votes

we would need to integrate with GSuite API to retrieve the group members and the user details of them by a daily job.

I've followed the guide and:

  1. setup a service account
  2. enabled "Admin SDK" at "Google Cloud console"
  3. checked "Enable API access" at GSuite "Google Admin" -> "API Reference"
  4. granted permission to the service account at "Manage API client access" with the following:
    1. View group subscriptions on your domain https://www.googleapis.com/auth/admin.directory.group.member.readonly
    2. View groups on your domain https://www.googleapis.com/auth/admin.directory.group.readonly
    3. View users on your domain https://www.googleapis.com/auth/admin.directory.user.readonly

However the response I got when I try to call: - https://www.googleapis.com/admin/directory/v1/groups/{group id}/members, or - https://www.googleapis.com/admin/directory/v1/users/{user email}

I got "Not Authorized to access this resource/api".

I've tried to use CURL to exchange access token, and tried to use JAVA SDK, both returned the same error.

Please let me know if I've missed out anything. Thanks a lot.

1
google-admin-sdkgoogle-workspace
Did you set the service account as administrator of the domain?noogui
may I know how to do this? In GSuite Admin console, it will show "User does not exists"Anita

1 Answers

1
votes

Ok, I found the missing part.

In case anyone face the same problem, simply add "sub=[super admin]@[your domain]" when exchanging the accessToken. This will solve the problem.