I'm trying to fetch some data using a service account. I can query any resource that the IAM roles attached to this service account allow but am not able to fetch data from Google Workspace like from Calendar, Groups, Email, etc.
Here's my code:
from google.oauth2 import service_account
from googleapiclient.discovery import build
creds = service_account.Credentials.from_service_account_file("<cred>.json")
delegated_creds = creds.with_subject("<admin_email@my_domain>")
admin_service = build('admin', 'directory_v1', credentials=delegated_creds)
results = admin_service.groups().list(userKey="<myemail@mydomaim>").execute()
The error that I run into is: ('unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.', {'error': 'unauthorized_client', 'error_description': 'Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.'})
I don't know where to debug this. Have been stuck on this for a while. I don't see any logs related to denied requests when I look at the logs in GCP. What's the best path to debug from here?
These are all the things I believe I've verified.
Ensure that the Client ID specified in the Admin Console during domain-wide delegation setup is correct. It is the Client ID associated with the service account using in my code.
Ensure that the email address I am impersonating in the with_subject(ADMIN_EMAIL) method call in my Python code is a super admin in my Google Workspace domain.
Verify Scopes:
Double-checked the scopes specified in the Admin Console during domain-wide delegation setup. Made sure the scopes are entered correctly in the Admin Console (no extra spaces, correct delimiters, etc.).
Made sure that the key file is valid and corresponds to the service account for which I have enabled domain-wide delegation.
Enabled Domain-wide Delegation:
Confirmed that Domain-wide Delegation is enabled for the service account in the Google Cloud Console.
API Enablement:
Ensured that the Cloud Identity API (or whichever API I'm trying to access) is enabled for your GCP project.
Authorization in Google Admin Console:
Verified that I have authorized the correct Client ID (from your service account) in our Google Admin Console with the correct scopes.
I figured out what the issue was. I had to add an additional scope in the Domain-wide Delegation admin settings, the additional scope being
https://www.googleapis.com/auth/cloud-platform.
This scope is not needed to be mentioned anywhere in my code (like adding scope for my credentials) but just needs to be among the list of scopes that an admin allowlists for my service account.
This is weird because the actual api that I'm using doesn't specify the about auth scope anywhere. (See: https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups/list#authorization-scopes)