带有AppAssertionCredentials的Google Admin SDK出现403错误 [英] 403 error from Google Admin SDK with AppAssertionCredentials

问题描述

我正在尝试通过Google管理员目录API列出用户.

I'm trying to list users via Google admin directory API.

import logging
import os

from google.appengine.api import memcache
from googleapiclient import discovery
from oauth2client.contrib.appengine import AppAssertionCredentials

import httplib2

from flask import Flask


credentials = AppAssertionCredentials(scope='https://www.googleapis.com/auth/admin.directory.user')
auth_http = credentials.authorize(httplib2.Http(cache=memcache))
service = discovery.build('admin', 'directory_v1', http=auth_http)    

@app.route('/list')
def list():
    results = service.users().list(domain='example.com', maxResults=10, orderBy='email').execute()
    return 'success'

app = Flask(__name__)

我正在App Engine中运行此程序，并已按照

I'm running this in App Engine and have enabled domain-wide delegation for App Engine default service account, as instructed in https://developers.google.com/api-client-library/python/auth/service-accounts

这是我遇到的错误: HttpError:https://www.googleapis.com/admin/directory/v1/users?orderBy=email&domain=example.com&alt=json&maxResults = 10返回未授权访问此资源/api>

推荐答案

请遵循然后，G Suite域的管理员必须完成以下步骤:

Then, an administrator of the G Suite domain must complete the following steps:

1. 转到您的G Suite域的管理控制台.
2. 从控件列表中选择安全性".如果您没有看到安全性"列表，请从页面底部的灰色栏中选择更多控件"，然后从控件列表中选择安全性".如果看不到控件，请确保您以域的管理员身份登录.
3. 从选项列表中选择显示更多，然后选择高级设置.
4. 在身份验证"部分中选择管理API客户端访问权限".
5. 在客户名称"字段中输入服务帐户的客户ID.您可以在服务帐户"页面中找到服务帐户的客户ID.
6. 在一个或多个API范围"字段中，输入应授予您的应用程序访问权限的范围列表.例如，如果您的应用程序需要对Google Drive API和Google Calendar API进行域范围的访问，请输入: https://www.googleapis.com/auth/drive ， https://www. googleapis.com/auth/calendar .
7. 点击授权.

1. Go to your G Suite domain’s Admin console.
2. Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls. If you can't see the controls, make sure you're signed in as an administrator for the domain.
3. Select Show more and then Advanced settings from the list of options.
4. Select Manage API client access in the Authentication section.
5. In the Client Name field enter the service account's Client ID. You can find your service account's client ID in the Service accounts page.
6. In the One or More API Scopes field enter the list of scopes that your application should be granted access to. For example, if your application needs domain-wide access to the Google Drive API and the Google Calendar API, enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar.
7. Click Authorize.

确保您的服务帐户设置为管理员.

这篇关于带有AppAssertionCredentials的Google Admin SDK出现403错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！