Search code examples
node.jsjwtgoogle-admin-sdkgoogle-chrome-os

Google Adminsdk Directory API access


I am trying to get the list of chrome devices registered with the specified customer Id.

I have done the following Steps.

  1. Enabled Google Admin Directory API
  2. Created Service Account and downloaded the jwt.json file for connectivity.
  3. Enabled the Domain wide G-Suite Delegation previlige.
  4. Registered this client id as authorized API client Thru Google Admin(Manage API client access)

    Client Id : our clientid API Scope: View and manage your Chrome OS devices' metadata https://www.googleapis.com/auth/admin.directory.device.chromeos View your Chrome OS devices' metadata https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly Next I used my Node module to Generate the JWT access

Token is created Successfully.

{"access_token":"ya29.c.KpEB****K*********lufaGlx5k********hvAdADxBhOA****8R3rnTPKKnVb97sdPFG66wHy4FPrnx6KskafKXrBBfEgILdDelP-n5irpKm5h8y8oBWHO*******Xg","token_type":"Bearer","expiry_date":1587150649000,"refresh_token":"jwt-placeholder"}

Now i am trying to use this Bearer toke to access the following API

https://www.googleapis.com/admin/directory/v1/customer/ourcustomerid/devices/chromeos

This is always giving the following error.

{
  "error": {
    "errors": [{
      "domain": "global",
      "reason": "forbidden",
      "message": "Not Authorized to access this resource/api"
    }],

    "code": 403,
    "message": "Not Authorized to access this resource/api"
  }
}

Not sure what is the issue.


Solution

  • Its working after adding Impersonated users email address... Originally it was

    const jwtAuth = new google.auth.JWT(
                quickstart.client_email,
                null,
                quickstart.private_key,
                [
                    'https://www.googleapis.com/auth/admin.directory.device.chromeos',
                    'https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly'
                ]
    );
    

    Then I have added the subject as impersonated users email address.

    const jwtAuth = new google.auth.JWT(
                quickstart.client_email,
                null,
                quickstart.private_key,
                [
                    'https://www.googleapis.com/auth/admin.directory.device.chromeos',
                    'https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly'
                ],
                'email address of the impersonated user',
    );