I am using a Google account managed by my company. I want to activate an API but get the warning that I do not have sufficient privileges. What kind of privileges do you need for API access and where in the admin console do you set it up?
Related
I'm trying to get some data from a user (searchconsole):
the user first grants permission on a website.
Then, the idea is to use that permission and retrieve the data with a python program that'll run on a different server.
What is the easiest/safest way to achieve that?
Should I use the same token for both servers?
or is there a solution using the service account impersonation? (I'm stuck on that one)
use the permission on the web server to add the service account as a searchconsole user?
I tried to move the token from one server to another manually, and it works, but it seems suboptimal to use the same token for both servers.
I also read the doc and all examples I could find, but didn't find my case even though it seems basic.
Should I use the same token for both servers?
Im not 100% sure what you mean by token, you can and probably should just store the refresh token from the user and then you can access their data when ever you need to. This is really how Oauth2 is supposed to work and maybe you could find a way of storing it in a database that both your fount end and backend can access.
or is there a solution using the service account impersonation? (I'm stuck on that one)
Service accounts should really only be used if you the developer control the account you are trying to connect to. or if you are a google workspace admin and want to control the data of everyone on your domain. impersonation can only be configured via google workspace and can only be configured to control users on the same domain. So standard google gmail users would be out.
In the case of the webmaster tools api im not sure by checking the documentation that this api even supports service accounts
use the permission on the web server to add the service account as a searchconsole user?
I did just check my personal web master tools account and it appears that i have at some point in the past added a service account as a user on my account.
For a service account to have access to an account it must be pre authorized. This is done as you can see by adding a user to your account. I cant remember how long ago I tested this from what i remember it did not work as the user needed to accept the authorization and there was no way to do that with a service account.
I have a service account created through the Google developer console specifically for API access to Google Drive to retrieve documents. However recently I have changed my G-suite Google Drive settings to have the security restriction that documents can only be shared outside of my organization to whitelisted domains rather than it being wide-open for sharing purposes.
Prior to this security setting change everything was working fine having my service account access documents it has specifically been granted access to. However after the change when viewing the sharing settings on a file that it previously had access to it now says the account cannot be granted access as the policy set prohibits the sharing of items to this user as its not in a compatible whitelisted domain.
I did try whitelisting gserviceaccount.com within my G-suite admin console but this still brought no luck.
Anyone else have a similar issue? Any good solution?
Thanks!
You may want to complete the following steps given in Delegating domain-wide authority to the service account:
Go to your G Suite domain’s Admin console.
Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls. If you can't see the controls, make sure you're signed in as an administrator for the domain.
Select Show more and then Advanced settings from the list of options.
Select Manage API client access in the Authentication section.
In the Client Name field enter the service account's Client ID. You can find your service account's client ID in the Service accounts page.
In the One or More API Scopes field enter the list of scopes that your application should be granted access to. For example, if your application needs domain-wide access to the Google Drive API and the Google Calendar API, enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar.
Click Authorize.
This will give authority to your app to make application calls as users in your domain. However, please note on this:
Although you can use service accounts in applications that run from a G Suite domain, service accounts are not members of your G Suite account and aren’t subject to domain policies set by G Suite administrators. For example, a policy set in the G Suite admin console to restrict the ability of G Suite end users to share documents outside of the domain would not apply to service accounts.
See Perform G Suite Domain-Wide Delegation of Authority for more information.
I got the super admin privileges for to my Google Account.
I need to get the list of all the chrome devices through an API.
I did enable Google Admin SDK but still facing some issues.
I copied the exact python script from Python Quickstart for checking but still getting error as
"googleapiclient.errors.HttpError: https://www.googleapis.com/admin/directory/v1/users?customer=my_customer&orderBy=email&alt=json&maxResults=10 returned "Insufficient Permission">"
When checked on Admin SDK API dashboard I can see 4xx errors for every call made from my python script.
When you run the sample you need to make sure that this step
The sample will attempt to open a new window or tab in your default browser. If this fails, copy the URL from the console and manually open it in your browser.
If you are not already logged into your Google account, you will be prompted to log in. If you are logged into multiple Google accounts, you will be asked to select one account to use for the authorization.
Is done from the Google account which has access to your admin account. The user you are logged in with now does not have access.
I managed to get Super Admin access of Google account and then grant access to my project for different scopes. The docs/ references are so confusing hence it took a while for me to figure it out. So under the admin console, we have to get into Security >> Advanced Settings >> Manage API Client Access(under Authentication) and then add the client name and the scopes(multiple scopes separated by commas) for which we need access. Client name is the client-id which we can get from the client-secretxxxxx.json file(downloaded while creating the oauth id).
NOTE :- You do NOT need super admin access it is just that I was new and the guy who gave me the initial access wasn't sure what has to be enabled across.
Also couldn't post as a comment due to the limitation of characters.
The scenario:
installing google apps marketplace app
user grant access using oauth2 and some predefined scopes
user clicks on a link after installation
since the user already gave access to the same app he is not forced to grant access again (as we have authentication in the app itself), but only to login if the current session is expired
The problem:
even we set the same app settings + scopes, it's asking twice for the "grant access" - in marketplace + our app
Clues so far:
if we wait (3-4 minutes) between marketplace grant access and clicking the app link .. it's working and it's NOT forcing the user to grant access again, so all cool.. apart from waiting time
if we use only the marketplace auth, the app permission is NOT present here: https://security.google.com/settings/security/permissions So even granted, I cannot revoke it from here
if we use auth in our app (the second one) - it's now present in the above link and can be revoked
I can see something's wrong, but can't figure out what. Is there some "google apps specific login" apart from the standard Google Auth APIs? Or what about that waiting moment and then all works good? All suggestions are welcome! :)
I have attempted to publish an application to the Google Apps Marketplace that uses a service account to act on behalf of users within a domain. How does the installation flow differ based on whether the installing user is an administrator or a normal user since it requires the service account to be authorized in the Google Admin console?
I am getting push back during the application review asking why the app is requiring an admin to manually authorize the API scopes for the service account in the Google Admin Console. If a Google Apps Administrator installs the application for the domain and consents to all of the application access, does that authorization apply for all users in the domain? I do not want all users in a domain to be prompted with the OAuth 2 consent screen.