Google Admin SDK 403 Not Authorized to Access this Resource/API

theyuv picture theyuv · Aug 18, 2016 · Viewed 7.7k times · Source

I use the following code in a java web application to try to get all users of a group:

GoogleCredential credential = GoogleCredential.fromStream(Util.class.getResourceAsStream("[credential_file].json")).createScoped(SCOPES);

Directory directory = new Directory.Builder(httpTransport, JSON_FACTORY, credential).build();

Directory.Members dirMem = directory.members();
Members members = dirMem.list("[group_email]").execute();

This results in an exception 403 (Not authorized to access this resource/API) on the last line (dirMem.list...).

From the documentation (https://developers.google.com/admin-sdk/directory/v1/guides/delegation) and other posts, I saw that the solution to this is to set a service account user with setServiceAccountUser(). However, this means that I have to use a p12 file instead of a json file (Google recommends using a json file when you create the key).

Is there any way to get around this issue while still using a json file (it also involves less code).

Thanks.

Answer

matt picture matt · Jun 20, 2017

As suggested by this answer to a related question, including the sub (subject, I think) to indicate the email address of a delegated admin in your Google Apps account is a necessary step for the API calls to work. That delegated admin will also probably need to be authorized to access/modify the data or endpoints you are calling. Since my experience has been with the PHP client, not Java, I don't know the specifics of how you will provide that email address to the Java classes in use in your example.