Google API 使用服务帐户创建用户
Google API user creation with service account
我正在尝试使用 Google 目录 API 和服务帐户创建用户。但是我收到错误
googleapiclient.errors.HttpError: <HttpError 403 when requesting https://admin.googleapis.com/admin/directory/v1/users?alt=json returned "Not Authorized to access this resource/api". Details: "Not Authorized to access this resource/api">
我已经在 Google 控制台上创建了一个服务帐户并允许域范围内的委派。它还表示已为我的项目启用 Admin SDK API。但是我似乎无法创建用户。文档让我有点困惑。这是我的实现
def create_googleuser(content, randpass):
''' This function creates a Google Apps account for a user passing webhook contents and password as arguments '''
# Get User info from Webhook and store them in variables
firstname = get_firstname(content)
secondname = get_secondname(content)
emailaddress = firstname + "." + secondname + "@example.com"
# Connect to google API
userscope = ['https://www.googleapis.com/auth/admin.directory.user']
service_account_credentials = ('serviceaccountcredentials.json')
credentials = service_account.Credentials.from_service_account_file(service_account_credentials, scopes=userscope)
userservice = googleapiclient.discovery.build('admin', 'directory_v1', credentials=credentials)
# Create a user dictionary with user details
userinfo = {"primaryEmail": emailaddress,"name":{"givenName":firstname,"familyName":secondname},"password":randpass}
print (emailaddress)
# Create user through googleAPI
userservice.users().insert(body = userinfo).execute()
我认为我的实现是错误的而不是权限,因为 serviceaccountcredentials.json 应该具有正确的权限。有什么建议吗?
出现这个错误有两种可能。
如果 API 方法需要使用模拟用户。
如果被冒充的用户没有启用相关服务。
案例 1 的解决方案:
按照 documentation 模拟用户帐户。
案例 2 的解决方案:
在管理控制台中,打开用户信息并检查用户是否未被暂停。
打开“应用程序”面板并检查相关服务是否处于“开启”状态。
可能是由于用户没有允许访问该服务的许可证(Cloud Identity 而不是 Google Workspace),或者用户所在的组织单位禁用了该服务。
另外这个 link 可能会有帮助。
感谢您的投入。你们在某种程度上都是正确的。基本上有两个问题。服务帐户用户需要被委派需要域管理员操作的域管理员权限,域范围的委派是不够的。此外,管理控制台中的域范围和代码中的范围定义需要更广泛。有 github 个打开的问题对这里有帮助:
https://github.com/googleapis/google-api-nodejs-client/issues/1884
我的工作代码如下所示
def create_googleuser(content, randpass):
''' This function creates a Google Apps account for a user passing webhook contents and password as arguments '''
# Get User info from Webhook and store them in variables
username = get_username(content)
firstname = get_firstname(content)
secondname = get_secondname(content)
emailaddress = firstname + "." + secondname + "@example.com"
# Connect to google API
userscope = ['https://www.googleapis.com/auth/admin.directory.user', 'https://www.googleapis.com/auth/admin.directory.user.security']
service_account_credentials = ('serviceaccountcredentials.json')
credentials = service_account.Credentials.from_service_account_file(service_account_credentials, scopes=userscope)
delegated_credentials = credentials.with_subject('domain.admin@example.com')
userservice = googleapiclient.discovery.build('admin', 'directory_v1', credentials=delegated_credentials)
# Create a user dictionary with user details
userinfo = {"primaryEmail": emailaddress,"name":{"givenName":firstname,"familyName":secondname},"password":randpass}
# Create user through googleAPI
userservice.users().insert(body = userinfo).execute()
我正在尝试使用 Google 目录 API 和服务帐户创建用户。但是我收到错误
googleapiclient.errors.HttpError: <HttpError 403 when requesting https://admin.googleapis.com/admin/directory/v1/users?alt=json returned "Not Authorized to access this resource/api". Details: "Not Authorized to access this resource/api">
我已经在 Google 控制台上创建了一个服务帐户并允许域范围内的委派。它还表示已为我的项目启用 Admin SDK API。但是我似乎无法创建用户。文档让我有点困惑。这是我的实现
def create_googleuser(content, randpass):
''' This function creates a Google Apps account for a user passing webhook contents and password as arguments '''
# Get User info from Webhook and store them in variables
firstname = get_firstname(content)
secondname = get_secondname(content)
emailaddress = firstname + "." + secondname + "@example.com"
# Connect to google API
userscope = ['https://www.googleapis.com/auth/admin.directory.user']
service_account_credentials = ('serviceaccountcredentials.json')
credentials = service_account.Credentials.from_service_account_file(service_account_credentials, scopes=userscope)
userservice = googleapiclient.discovery.build('admin', 'directory_v1', credentials=credentials)
# Create a user dictionary with user details
userinfo = {"primaryEmail": emailaddress,"name":{"givenName":firstname,"familyName":secondname},"password":randpass}
print (emailaddress)
# Create user through googleAPI
userservice.users().insert(body = userinfo).execute()
我认为我的实现是错误的而不是权限,因为 serviceaccountcredentials.json 应该具有正确的权限。有什么建议吗?
出现这个错误有两种可能。
如果 API 方法需要使用模拟用户。
如果被冒充的用户没有启用相关服务。
案例 1 的解决方案:
按照 documentation 模拟用户帐户。
案例 2 的解决方案:
在管理控制台中,打开用户信息并检查用户是否未被暂停。
打开“应用程序”面板并检查相关服务是否处于“开启”状态。
可能是由于用户没有允许访问该服务的许可证(Cloud Identity 而不是 Google Workspace),或者用户所在的组织单位禁用了该服务。
另外这个 link 可能会有帮助。
感谢您的投入。你们在某种程度上都是正确的。基本上有两个问题。服务帐户用户需要被委派需要域管理员操作的域管理员权限,域范围的委派是不够的。此外,管理控制台中的域范围和代码中的范围定义需要更广泛。有 github 个打开的问题对这里有帮助:
https://github.com/googleapis/google-api-nodejs-client/issues/1884
我的工作代码如下所示
def create_googleuser(content, randpass):
''' This function creates a Google Apps account for a user passing webhook contents and password as arguments '''
# Get User info from Webhook and store them in variables
username = get_username(content)
firstname = get_firstname(content)
secondname = get_secondname(content)
emailaddress = firstname + "." + secondname + "@example.com"
# Connect to google API
userscope = ['https://www.googleapis.com/auth/admin.directory.user', 'https://www.googleapis.com/auth/admin.directory.user.security']
service_account_credentials = ('serviceaccountcredentials.json')
credentials = service_account.Credentials.from_service_account_file(service_account_credentials, scopes=userscope)
delegated_credentials = credentials.with_subject('domain.admin@example.com')
userservice = googleapiclient.discovery.build('admin', 'directory_v1', credentials=delegated_credentials)
# Create a user dictionary with user details
userinfo = {"primaryEmail": emailaddress,"name":{"givenName":firstname,"familyName":secondname},"password":randpass}
# Create user through googleAPI
userservice.users().insert(body = userinfo).execute()