Google Apps Admin API: need to specify account user for service account?

Question

I'm creating a Marketplace App that should be able to read all the users of a domain. I request access to these scopes:

https://www.googleapis.com/auth/userinfo.email  
https://www.googleapis.com/auth/userinfo.profile    
https://www.googleapis.com/auth/admin.directory.user.readonly

Then when the 'Universal Navigation Extension' is accessed this happens:

Credential credential = new GoogleCredential.Builder()
        .setTransport(httpTransport)
        .setJsonFactory(jsonFactory)
        .setServiceAccountId(SERVICE_MAIL)
        .setServiceAccountScopes(Arrays.asList(DirectoryScopes.ADMIN_DIRECTORY_USER_READONLY))
        .setServiceAccountPrivateKey(privateKey)
        .build();

Directory oauth2 = new Directory.Builder(httpTransport, jsonFactory, null)
        .setHttpRequestInitializer(credential)
        .build();

Directory.Users.List list = oauth2.users().list();
list.setDomain(queryParams.getString("domain"));
Users users = list.execute();

When I run this it returns this error:

{
  "code" : 403,
  "errors" : [ {
    "domain" : "global",
    "message" : "Not Authorized to access this resource/api",
    "reason" : "forbidden"
  } ],
  "message" : "Not Authorized to access this resource/api"
}

But, when I add:

Credential credential = new GoogleCredential.Builder()
    .setServiceAccountUser("<admin-account>@<domain>")
    ...

It works!

But how do I know the admin's email address? Can I make it work without the email address?

Answer 1

No. You must have and know the email address of an account allowed to do what your want (typically a superadmin).

I agree that it is quite absurd for some APIs to require this (Admin, Directory, etc.).