0

I am using Google Directory API .NET Client to fetch a list of roles in a domain (https://developers.google.com/admin-sdk/directory/reference/rest/v1/roles/list).

I use a service account to authenticate on behalf of a user to create the Directory Service. Here is my code:

var initializer = new BaseClientService.Initializer
{
    ApplicationName = "GoogleConnector",
    HttpClientInitializer = new ServiceAccountCredential(
        new ServiceAccountCredential.Initializer(connectionDetails.ClientEmail) { User = connectionDetails.UserId, Scopes = scopes }.FromPrivateKey(connectionDetails.PrivateKey)
    )
};

var service = new DirectoryService(initializer);
var roles = await service.Roles.List("my_customer").ExecuteAsync();

Now, it works fine without any issues when the user being used for impersonation has a Super Admin role assigned to it. However, providing a Super Admin role to this user is not feasible. When I remove the Super Admin role, assign the following roles:

  1. User Management
  2. Groups Reader
  3. Service Admin

enter image description here

Also, the next request scopes have been added:

The api starts failing with the below error:

Not Authorized to access this resource/
api [403] Errors [ Message[Not Authorized to access this resource/api] Location[ - ] Reason[forbidden] Domain[global] ]

EDIT (after the comment about missing delegation to a domain user)

I have provided domain-wide delegation to the client application (since I am using a service account, following the guide) with all the required scopes: enter image description here

Also, all other API works fine. I am using groups.list and users.list methods without any issues. Those return the results as usual.

The issue only is with the roles.list method.

Any help is appreciated.

Improve this question
5
  • 1
    Can you share in your post the scopes that you used? May I confirm if you used these two: https://www.googleapis.com/auth/admin.directory.rolemanagement and https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly (Based from the article)? Commented Nov 20, 2024 at 17:29
  • 1
    Thank you @Gyul. Those scopes have been added. I will include it in my question. Commented Nov 21, 2024 at 9:11
  • 1
    You are missing delegation to a domain user Commented Nov 21, 2024 at 19:59
  • Thx, @LindaLawton-DaImTo, I've tried it (but unfortunately the result is the same =/). The original post has been updated. Commented Nov 22, 2024 at 11:18
  • Try the sample i posted Commented Nov 22, 2024 at 16:18

1 Answer 1

Reset to default
0

You need to pass the full credentials.json as well as an admin user with access. This is my sample for creating a user you should just be able to change the scope and the method it calls.

using Google.Apis.Auth.OAuth2;
using Google.Apis.Admin.Directory.directory_v1;
using Google.Apis.Services;

Console.WriteLine("Hello, Google Calendar Workspace sample!");

var scopes = new[] { DirectoryService.Scope.AdminDirectoryUser };

const string workspaceAdmin = "[email protected]";

const string credentials = @"C:\Development\Credentials\workspaceserviceaccount.json";

var credential = GoogleCredential.FromFile(credentials).CreateScoped(scopes).CreateWithUser(workspaceAdmin);

var services = new DirectoryService(new BaseClientService.Initializer()
{
    HttpClientInitializer = credential,
});

var request = services.Users.List();
request.Customer = "my_customer";
request.MaxResults = 10;
request.OrderBy = UsersResource.ListRequest.OrderByEnum.Email;
    
var results = request.Execute();

var users = results.UsersValue;

if (users.Count == 0)
{
    Console.WriteLine("No Users");
    return;
}

Console.WriteLine("Users:");
foreach (var user in users)
{
    Console.WriteLine($"{user.PrimaryEmail} ({user.Name.FullName})");
}
Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

an admin user with access -> What do you mean by this? Does the user need to have Super Admin role? If so, this is not possible for us to provide. What roles does this user need in order to be able to fetch the list of roles?
they need to have access to list users. If your logging in as a service account just have the service account impersonate the admin user on the domain. I would start with users - read
What is the meaning of "admin user on the domain" here? How do we define admin user? Linds, Suppose I have User A in my domain, and this User A is NOT a Super Admin but have User Management role in Google Workspace. The service account is impersonating this User A to list the roles (NOT list users), but this doesn't work.
From what i can see in your code they are not impersonating the user you need to use .CreateWithUser(workspaceAdmin) as I have.
Well, I am using a different approach to creating a credential, and it takes the UserId parameter to impersonate the user:drive.google.com/file/d/1fOghwxuGTDULR_-sYlEBKJUDWvcMoJrr/… Also, just to be clear, I have many other APIs which are working just fine with this approach, I am facing issue with only one particular API (roles.list)
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.