I'm using this site for testing: https://developers.google.com/classroom/reference/rest/v1/courses/list
I have a project setup with a service account:
My admin account gets a 200 response with a full list of courses. My service account gets an empty 200 response. If I grant the service account domain admin it returns a full list of courses. I'm happy to provide sanitized screen shots if needed but does anyone know what rights a service account needs short of domain admin to be able to access Google classroom data through the APIs?
A service account that has been granted domain-wide authority can access the same data than the account it is impersonating.
As explained in this answer, only domain administrators can access all the courses in the domain. The rest of users can only access the courses they are part of (as teachers, students, etc.).
So the only way for a service account to retrieve all courses in the domain is to impersonate a domain admin (or have another account added to each course in the domain).
On the other side, a service account that has not been granted domain-wide authority or that is not using this authority to impersonate another account, will only have access to the courses it has been added to.
And since a service account is technically not part of the domain, it cannot be added to a course in the domain (only accounts within the domain can be added to a course – what sense would it make, anyway, to have a service account as a teacher or a student of a course?).
So, a call to courses.list cannot return any course in the domain: it will return any courses that the service account might have created on its own, which are not part of the domain.