GSuite service account with DwD unauthorised for accessing user's Gmail account

0
votes

I have a G Suite service account with domain-wide delegation enabled, and I want to impersonate a user on the domain. However, every attempt of mine to do so has been met with an error saying that I am unauthorised. Has anyone experienced this and might know what is going on?

I have followed these instructions, and these too. I created a new service account, (as mentioned) enabled DwD, and added the necessary scopes in the Admin console: https://mail.google.com https://www.googleapis.com/auth/gmail.settings.sharing https://www.googleapis.com/auth/gmail.settings.basic https://www.googleapis.com/auth/admin.reports.audit.readonly

(Also, the domain is verified.)

From there, I have attempted to authorise this account in the NodeJS client using the following code:

const {google} = require('googleapis');
const fs = require('fs');
const auth = JSON.parse(fs.readFileSync('xxx.json'));

const jwt = new google.auth.JWT(
    auth.client_email, 
    null, 
    auth.private_key, 
    [
        'https://mail.google.com/',
        'https://www.googleapis.com/auth/gmail.settings.sharing',
        'https://www.googleapis.com/auth/gmail.settings.basic',
        'https://www.googleapis.com/auth/admin.reports.audit.readonly'
    ],
    '[email protected]'
);

jwt.authorize((err, res) => {
    if (err) console.log(err);
    else console.log(res);
});

If I remove [email protected] and try to authorise without impersonating an email, it works; I receive an access token. However, for my purposes I need to be able to impersonate, which if I try to do, I get a 401 with the following message:

GaxiosError: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.

As far as I can tell, the service account should be authorised to impersonate users on the domain. Does anyone know why this might be happening?

1
node.jsrestgoogle-cloud-platformgoogle-workspacegoogle-api-nodejs-client
1) Show a complete example, the APIs you are calling make a difference. 2) I recommend using an OAuth Access Token instead of a signed JWT. 3) Do you really need the scope 'https://mail.google.com/? 4 Start with something simpler like send email and the gmail.send scope 5) Is the G Suite account a Super Admin and you have logged into G Suite, accepts TOS, etc? 6) Edit your question and improve with these questions.John Hanley
Tip: In following the steps in your first link if you get any item wrong the impersonation will not work. I would delete the service account and start over. I would also use one of the code examples that work to verify that you have the SA setup correctly.John Hanley
Hi @JohnHanley, thank you for your replies. It turns out that my problem was a rather stupid one: When I entered my scopes in the Google admin console, I had separated them with spaces, whereas they should be separated with commas, e.g., 'mail.google.com, https://...'btdrawer

1 Answers

0
votes

In the end, it was me being stupid. In the admin console, I had been separating my scopes with spaces, whereas in fact they should be separated with commas: 'https://mail.google.com, https://...'