I'm trying to connect to the Google Directory API (REST Resource: users) via Airflow. I want to get a list of users within the organizational google workspace as well as update some attributes. I want to do this programmatically via the service account that has been setup within the project with appropriate scope: https://www.googleapis.com/auth/admin.directory.user.
The domain-wide delegation has also been enabled as well as the admin sdk api. The service account also has full permissions to the project.
However, when I'm trying to run a basic standalone python script using google api client and google oauth2 to test if the service account is able to access the api and get a single user via their email, it's throwing this error:
Error fetching user:
<HttpError 403 when requesting https://admin.googleapis.com/admin/directory/v1/users/<username>%40<domain>?alt=json
returned "Not Authorized to access this resource/api".
Details:
"[
{
'message': 'Not Authorized to access this resource/api',
'domain': 'global', 'reason': 'forbidden'
}
]
">
However, when i add the email of the super admin as the subject for the impersonation, the service account is able to access the user in the directory API.
credentials = service_account.Credentials.from_service_account_file("/path/to/file.json",
scopes=SCOPES,
subject="[email protected]")
Nowhere in the documentation it is mentioned that one needs to add the admin email as well. Am I missing something? If I need to add the admin for the service account to impersonate, then what is the point of having Domain-Wide delegation enabled?
