我正在尝试设置组设置服务,但无法弄清楚授权问题出在哪里。下面是我用来测试的代码:
import os
import internal_package
from google.oauth2 import service_account
from googleapiclient.discovery import build
# read credential from vault
gsuite_service_account = internal_package.vault.get_credential(service_account="gsuite_script", json_response=True)
if gsuite_service_account is None:
raise ValueError('gsuite_script')
user_account = gsuite_service_account['user_email']
scopes = ['https://www.googleapis.com/auth/apps.groups.settings']
# Load credentials for Service Account
service_account_file = os.environ["GOOGLE_APPLICATION_CREDENTIALS"]
credentials = service_account.Credentials.from_service_account_file(service_account_file, scopes=scopes, subject=user_account)
group_client = build("groupssettings", "v1", credentials=credentials)
print("GSuite service successfully configured.")
group_email = '[email protected]'
group_settings = group_client.groups().get(groupUniqueId=group_email).execute()
该脚本使用 gsuite_service_account (Google Cloud 服务帐户)来模拟 user_account (Google Workspace 帐户)。
创建 group_client 没有错误,但是当脚本执行最后一个 GET 方法时,会生成授权错误:
raise exceptions.RefreshError(
google.auth.exceptions.RefreshError: ('unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.', {'error': 'unauthorized_client', 'error_description': 'Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.'})
我已检查以下内容:
我可以成功使用与 Admin SDK v1 相同的帐户,但不能使用组设置 API。知道我可能会错过什么吗?'
你的代码对我有用(尽管没有秘密管理器)
main.py
:
import os
from google.oauth2 import service_account
from googleapiclient.discovery import build
project_id = os.getenv("PROJECT")
service_account_file = os.getenv("GOOGLE_APPLICATION_CREDENTIALS")
user_account = os.getenv("USER_EMAIL") # [email protected]
group_account = os.getenv("GROUP_EMAIL") # [email protected]
scopes = ["https://www.googleapis.com/auth/apps.groups.settings"]
credentials = service_account.Credentials.from_service_account_file(
service_account_file,
scopes=scopes,
subject=user_account,)
group_client = build("groupssettings", "v1", credentials=credentials)
print("GSuite service successfully configured.")
group_settings = group_client.groups().get(groupUniqueId=group_account).execute()
print(group_settings)
我已经拥有一个域范围的委托服务帐户,并根据您的问题添加了
apps.groups.settings
范围:
https://admin.google.com/ac/owl/domainwidedelegation
我使用 https://groups.google.com 创建了一个群组 (
foo
),然后将 GROUP_EMAIL
设置为 [email protected]
。
然后:
PROJECT="..." # Project that owns the domain-wide delegated account
ACCOUNT="..." # Name of the domain-wide delegated account
EMAIL="${ACCOUNT}@${PROJECT}.iam.gserviceaccount.com"
gcloud services enable groupssettings.googleapis.com \
--project=${PROJECT}
gcloud iam service-accounts keys create ${PWD}/${ACCOUNT}.json \
--iam-account=${EMAIL}
# Arbitrary role that it's in the Project's IAM binding
gcloud projects add-iam-policy-binding ${PROJECT} \
--member=serviceAccount:${EMAIL} \
--role=roles/iam.serviceAccountUser
运行代码并产生:
{
"kind": "groupsSettings#groups",
"email": "[email protected]",
"name": "foo",
...
}