google.auth.exceptions.RefreshError: ('access_denied: Account restricted' using a domain wide delegated account

0
votes

I'm trying to use domain wide delegation on a service account to fetch some info from the admin sdk to generate reports. i got an already working codebase which i use with a gsuite domain. i wanted to use that same code to generate reports for another domain, so i set up a GCP project for this other domain. i created a service account, enabled domain wide delegation on it, and enabled the scopes for the service account. When i try to make any api call impersonating any account on the domain, i get the following error

adminService.activities().list(userKey='all', applicationName='meet').execute()
google.auth.exceptions.RefreshError: ('access_denied: Account restricted', '{\n  "error": "access_denied",\n  "error_description": "Account restricted",\n  "error_uri":<url>}')

here's the code i use to create the service

credentials = service_account.Credentials.from_service_account_file(credentialsPath,
    scopes=['https://www.googleapis.com/auth/admin.reports.audit.readonly',
    "https://www.googleapis.com/auth/classroom.announcements.readonly",
    "https://www.googleapis.com/auth/classroom.courses.readonly",
    "https://www.googleapis.com/auth/classroom.coursework.students.readonly",
    "https://www.googleapis.com/auth/classroom.profile.emails",
    "https://www.googleapis.com/auth/classroom.rosters.readonly",
    "https://www.googleapis.com/auth/classroom.student-submissions.students.readonly",
    "https://www.googleapis.com/auth/classroom.topics.readonly"
    ])

    delegated_credentials = credentials.with_subject(email)

    return build('admin', 'reports_v1', credentials=delegated_credentials)

Again, this shouldn't be a programming problem since the same exact code is working for another domain, i think i'm missing something on the admin/GCP configuration side, but i can't figure out what, and i haven't found this exact error anywhere on the internet

1
pythongoogle-admin-sdk
Have you enabled all the scopes you want to use in the Google Admin console? [admin.google.com](admin.google.com) Security > Advanced settings > Manage API client access then enter all your scopes for the client with your service account's client ID. - I hope this is helpful to you
Yes, all the scopes are enabled for the client id of my service account - Fabio ProtoType22 De simone
You say impersonating any account on the domain, but only domain admins have the ability to access the reports API, so this can't be run as anyone but them. Also, have you made sure that you're not accidentally using the credentials for the service account on the other domain? - I hope this is helpful to you
Yes i was just emphasizing that i tried with multiple accounts, but i usually try to impersonate a super admin. also yes, i made sure i'm using the correct credentials, to be completely sure i tried and if i try to use the email from another domain, on a service account, the error is completely different edit: to be precise if you try to impersonate an account on a service account that is used on a different domain, the error is unauthorized_cilent, which makes sense. however i really can't understand what access_denied: Account restricted could mean - Fabio ProtoType22 De simone
Is the domain a newly created G Suite domain? Also, what G Suite edition is the domain? (Basic/Enterprise/Business/Legacy/etc)? - I hope this is helpful to you

1 Answers

0
votes

Turns out that for domain wide delegation to work, you have to enable this thing

that roughly translates to "additiional services without individual control" on the organization unit to which the user that created the GCP project belongs to. you can to that via the tooltip that appears on top of the Applications>Additional Google Services page in the administration panel