I'm trying to use a service account with domain-wide delegation (DwD) on an App Engine deployment with Go.
I've followed the steps for using Google Application Default Credentials to use a service account with App Engine.
I got the code running locally on my dev machine but I'm stuck at retrieving the actual data from my domain.
I'm using the Admin SDK. Under the section Delegate domain-wide authority to your service account, it says that my "service account needs to impersonate one of those users to access the Admin SDK Directory API".
I've looked through the documentation for Go on using service account and user impersonation, AND I've also pored through the source code. Nowhere does it indicate where I can enter the user's email address/identity to impersonate.
Here is the error that I got:
googleapi: Error 404: Domain not found., notFound
The source code does show some clue but I faced other obstacles when trying to use something other than the Application Default Credentials.
Does anyone have any idea? Thanks in advance.
It seems that for the Admin SDK I need to ask for the user (the administrator) permissions to access the Directory API. This is quite different from the other APIs where I simply just set the user email address to access the specified user's data.
It's understandable I guess since the Admin SDK is a far more powerful API affecting the domain and not just the individual user.