Search code examples
google-apps-scripthttp-status-code-403service-accountsgoogle-cloud-identity

Request failed for https://cloudidentity.googleapis.com returned code 403

I'm trying to use this API manage company devices in my workspace. 1st step is pulling a list of current devices. Code is in apps script.

I'm getting:

Exception: Request failed for https://cloudidentity.googleapis.com returned code 403. Truncated server response: {
  "error": {
    "code": 403,
    "message": "The caller does not have permission",
    "status": "PERMISSION_DENIED"
  }
}

Things I've done

  1. Service account has domain wide delegation for cloud-platform, cloud-identity and cloud-identity.devices
  2. Auth is done via Google's OAuth library, seems to work fine.
  3. OAuth also has space for scopes, same one's are requested.

Code bits:

    var scriptProperties = PropertiesService.getScriptProperties()
    private_key= scriptProperties.getProperty('private_key').replace(/\\n/g, '\n')
    client_email = scriptProperties.getProperty("client_email")
    ;

    function getOAuthService() {
      return OAuth2.createService('Service Account')
        // Set the endpoint URLs
        .setTokenUrl('https://accounts.google.com/o/oauth2/token')

        // Set the client ID and secret
        .setPrivateKey(private_key)
        .setIssuer(client_email)

        // Set the property store where authorized tokens should be persisted
        .setPropertyStore(PropertiesService.getScriptProperties())
        // .setCache(CacheService.getUserCache())

        .setParam('access_type', 'offline')
        .setScope('https://www.googleapis.com/auth/cloud-identity');
    }

    function reset() {
      var service = getOAuthService();
      service.reset();
    }


    function downloadDevices() {
    var service = getOAuthService();
    service.reset();
      if (service.hasAccess()) {
        var pageToken;
        var URL = "https://cloudidentity.googleapis.com/v1/devices";
        var headers = {
            Authorization: 'Bearer ' + service.getAccessToken()
          };
        var options = {
                method : "GET",
                headers: headers
              };
          var response = UrlFetchApp.fetch(URL, options);
        } else {
        Logger.log('service Error');
        Logger.log(service.getLastError());
      }
    }

By the looks of it everything is fine, it just that I don't have permissions. But as far as I can see there is no more relevant permissions to give.

Solution

  • Based on the code provided I can see that you are probably not doing the user impersonation needed in order to get the correct permissions. Usually when the user impersonation is not done correctly, the system can get the permissions from the service account and since this one does not have super admin permissions, that is why you get the 403 error.

    The correct way to go would be to use the service account impersonate a super admin so that you get enough permissions when calling the API.