Search code examples
google-cloud-platformgoogle-api-python-client

Google API user creation with service account

I'm trying to create a user using Googles Directory API and a service account. However I'm getting the error

googleapiclient.errors.HttpError: <HttpError 403 when requesting https://admin.googleapis.com/admin/directory/v1/users?alt=json returned "Not Authorized to access this resource/api". Details: "Not Authorized to access this resource/api">

I've created a service account on the Google Console and allowed Domain wide delegation. It also says the Admin SDK API is enabled for my project. However I can't seem to create a user. The documentation is confusing me slightly. Here is my implementation

def create_googleuser(content, randpass):
    ''' This function creates a Google Apps account for a user passing webhook contents and password as arguments '''
    
    # Get User info from Webhook and store them in variables
    firstname = get_firstname(content)
    secondname = get_secondname(content)
    emailaddress = firstname + "." + secondname + "@example.com"
    
    # Connect to google API
    userscope = ['https://www.googleapis.com/auth/admin.directory.user']
    service_account_credentials = ('serviceaccountcredentials.json')
    credentials = service_account.Credentials.from_service_account_file(service_account_credentials, scopes=userscope)
    
    userservice = googleapiclient.discovery.build('admin', 'directory_v1', credentials=credentials)


    # Create a user dictionary with user details
    userinfo = {"primaryEmail": emailaddress,"name":{"givenName":firstname,"familyName":secondname},"password":randpass}
    print (emailaddress)

    # Create user through googleAPI    
    userservice.users().insert(body = userinfo).execute()

I'm thinking that my implementation is wrong rather than the permissions as the serviceaccountcredentials.json should have the correct permissions. Any suggestions?

Solution

  • Thanks for the input. You were both correct to a point. Basically there were two issues. The service account user needs to be delegated domain administrator privileges that require domain admin actions, domain wide delegation isn't enough. Also the domain scope needed to be broader in the Admin console and the scope definition within the code. There is github issue open which helped here:

    https://github.com/googleapis/google-api-nodejs-client/issues/1884

    My working code looks like this

    def create_googleuser(content, randpass):
    ''' This function creates a Google Apps account for a user passing webhook contents and password as arguments '''
    
    # Get User info from Webhook and store them in variables
    username = get_username(content)
    firstname = get_firstname(content)
    secondname = get_secondname(content)
    emailaddress = firstname + "." + secondname + "@example.com"
    
    # Connect to google API
    userscope = ['https://www.googleapis.com/auth/admin.directory.user', 'https://www.googleapis.com/auth/admin.directory.user.security']
    service_account_credentials = ('serviceaccountcredentials.json')

    credentials = service_account.Credentials.from_service_account_file(service_account_credentials, scopes=userscope)
    delegated_credentials = credentials.with_subject('domain.admin@example.com')

    userservice = googleapiclient.discovery.build('admin', 'directory_v1', credentials=delegated_credentials)


    # Create a user dictionary with user details
    userinfo = {"primaryEmail": emailaddress,"name":{"givenName":firstname,"familyName":secondname},"password":randpass}

    # Create user through googleAPI
    userservice.users().insert(body = userinfo).execute()