google admin sdk目录api 403 python [英] google admin sdk directory api 403 python

问题描述

我想使用admin sdk目录api创建用户的eamil帐户.

i want to use admin sdk directory api to create eamil account of users.

我正在使用google-api-python-client-1.2库.

i am using google-api-python-client-1.2 library.

/samples/service_account/tasks.py文件夹中的文件对我有用.

in folder /samples/service_account/tasks.py works for me.

但是当我碰巧该文件从管理员目录api列出用户时，它不起作用并抛出错误.

but when i chance that file to list users from admin directory api it doesn't works and throws errors.

下面是我正在使用的代码.

below is the code i am using.

import httplib2
import pprint
import sys
import inspect

from apiclient.discovery import build
from oauth2client.client import SignedJwtAssertionCredentials
def main(argv):
    f = file('my-privatekey.p12', 'rb')
    key = f.read()
    f.close()

   credentials = SignedJwtAssertionCredentials(
      'my@developer.gserviceaccount.com',
      key,
      scope=['https://www.googleapis.com/auth/admin.directory.user', 'https://www.googleapis.com/auth/admin.directory.user.readonly'])
   http = httplib2.Http()
   http = credentials.authorize(http)

   service = build("admin", "directory_v1", http)
   list_of_apis = service.users().list(domain='mydomain.com').execute(http=http)
   pprint.pprint(list_of_apis)
if __name__ == '__main__':
      main(sys.argv)

当我运行上面的代码时，我得到以下错误.

when i run the above code i get below errors.

$python tasks.py 
No handlers could be found for logger "oauth2client.util"
Traceback (most recent call last):
  File "tasks.py", line 77, in <module>
    main(sys.argv)
  File "tasks.py", line 66, in main
    list_of_apis = service.users().list(domain='messycoders.com').execute(http=http)
  File "/usr/local/lib/python2.7/dist-packages/oauth2client/util.py", line 132, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/apiclient/http.py", line 723, in execute
    raise HttpError(resp, content, uri=self.uri) apiclient.errors.HttpError: <HttpError 403 when requesting https://www.googleapis.com/admin/directory/v1/users?domain=messycoders.com&alt=json returned "Not Authorized to access this resource/api">

推荐答案

尝试:

   credentials = SignedJwtAssertionCredentials(
      'my@developer.gserviceaccount.com',
      key,
      sub='superadmin@mydomain.com',
      scope=['https://www.googleapis.com/auth/admin.directory.user',])

您不需要两个作用域，如果仅执行读操作，请使用readonly；如果要进行读取和写入，请使用上面的内容.

You don't need both scopes, use readonly if you're doing read operations only, use the above if you're doing read and write.

sub =定义服务帐户应模拟哪个Google Apps帐户来执行目录操作，这是必需的，并且该帐户需要具有正确的权限.

sub= defines which Google Apps account the service account should impersonate to perform the directory operations, it's necessary and the account needs to have the right permissions.

最后，请确保已授予服务帐户对控制面板"中所需目录范围的访问权限. 步骤已在驱动器"文档中列出，只是正确的子类管理员目录的范围.

Lastly, be sure that you've granted the service account's client_id access to the directory scopes you need in the Control Panel. The steps to do this are listed in the Drive documentation, just sub in the correct scope(s) for Admin Directory.

这篇关于google admin sdk目录api 403 python的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！