Google Apps Admin API：需要为服务帐户指定帐户用户吗？ [英] Google Apps Admin API: need to specify account user for service account?

问题描述

我正在创建一个应该能够读取域的所有用户的Marketplace应用程序。我请求访问这些范围：

I'm creating a Marketplace App that should be able to read all the users of a domain. I request access to these scopes:

https://www.googleapis.com/auth/userinfo.email  
https://www.googleapis.com/auth/userinfo.profile    
https://www.googleapis.com/auth/admin.directory.user.readonly

当访问通用导航扩展时会发生这种情况：

Then when the 'Universal Navigation Extension' is accessed this happens:

Credential credential = new GoogleCredential.Builder()
        .setTransport(httpTransport)
        .setJsonFactory(jsonFactory)
        .setServiceAccountId(SERVICE_MAIL)
        .setServiceAccountScopes(Arrays.asList(DirectoryScopes.ADMIN_DIRECTORY_USER_READONLY))
        .setServiceAccountPrivateKey(privateKey)
        .build();

Directory oauth2 = new Directory.Builder(httpTransport, jsonFactory, null)
        .setHttpRequestInitializer(credential)
        .build();

Directory.Users.List list = oauth2.users().list();
list.setDomain(queryParams.getString("domain"));
Users users = list.execute();

当我运行它时会返回此错误：

When I run this it returns this error:

{
  "code" : 403,
  "errors" : [ {
    "domain" : "global",
    "message" : "Not Authorized to access this resource/api",
    "reason" : "forbidden"
  } ],
  "message" : "Not Authorized to access this resource/api"
}

但是，当我添加：

Credential credential = new GoogleCredential.Builder()
    .setServiceAccountUser("<admin-account>@<domain>")
    ...

它有效！

但我怎么知道管理员的电子邮件地址？
我可以在没有电子邮件地址的情况下使其工作吗？

推荐答案

否。您必须拥有并知道允许执行您想要的帐户的电子邮件地址（通常是superadmin）。

No. You must have and know the email address of an account allowed to do what your want (typically a superadmin).

我同意某些API要求它是非常荒谬的这（管理员，目录等）。

I agree that it is quite absurd for some APIs to require this (Admin, Directory, etc.).

这篇关于Google Apps Admin API：需要为服务帐户指定帐户用户吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！