我正在尝试使用服务帐户获取一些数据。我可以查询附加到此服务帐号的 IAM 角色允许的任何资源,但无法从 Google Workspace 中获取数据,例如日历、网上论坛、电子邮件等。
这是我的代码:
from google.oauth2 import service_account
from googleapiclient.discovery import build
creds = service_account.Credentials.from_service_account_file("<cred>.json")
delegated_creds = creds.with_subject("<admin_email@my_domain>")
admin_service = build('admin', 'directory_v1', credentials=delegated_creds)
results = admin_service.groups().list(userKey="<myemail@mydomaim>").execute()
我遇到的错误是:
('unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.', {'error': 'unauthorized_client', 'error_description': 'Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.'})我不知道在哪里调试这个。已经被困在这个问题上有一段时间了。当我查看 GCP 中的日志时,我没有看到任何与被拒绝的请求相关的日志。从这里开始调试的最佳路径是什么?
这些都是我相信我已经验证过的事情。
Ensure that the Client ID specified in the Admin Console during domain-wide delegation setup is correct. It is the Client ID associated with the service account using in my code.
Ensure that the email address I am impersonating in the with_subject(ADMIN_EMAIL) method call in my Python code is a super admin in my Google Workspace domain.
Verify Scopes:
Double-checked the scopes specified in the Admin Console during domain-wide delegation setup. Made sure the scopes are entered correctly in the Admin Console (no extra spaces, correct delimiters, etc.).
Made sure that the key file is valid and corresponds to the service account for which I have enabled domain-wide delegation.
Enabled Domain-wide Delegation:
Confirmed that Domain-wide Delegation is enabled for the service account in the Google Cloud Console.
API Enablement:
Ensured that the Cloud Identity API (or whichever API I'm trying to access) is enabled for your GCP project.
Authorization in Google Admin Console:
Verified that I have authorized the correct Client ID (from your service account) in our Google Admin Console with the correct scopes.
我明白了问题所在。我必须在域范围委派管理设置中添加附加范围,附加范围是
https://www.googleapis.com/auth/cloud-platform此范围不需要在我的代码中的任何位置提及(例如为我的凭据添加范围),但只需位于管理员为我的服务帐户允许的范围列表中即可。
这很奇怪,因为我使用的实际 api 没有在任何地方指定 about auth 范围。 (请参阅:https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups/list#authorization-scopes)