问题描述
我正在尝试使用服务帐户访问 Directory API (https://developers.google.com/admin-sdk/directory/v1/reference/users/list).最简单的任务是列出组织中的用户.这与我的用户帐户配合良好,已使用 OAuth 2.0 Playgorund 进行测试.但我需要使用服务帐户.我正在关注双足 OAuth (https://developers.google.com/identity/协议/OAuth2ServiceAccount) 并在 Powershell 中实现 REST 客户端
I am trying to use a service account to access Directory API (https://developers.google.com/admin-sdk/directory/v1/reference/users/list). The simplest task is to list users in the organization. That works well with my user account, tested with the OAuth 2.0 Playgorund. But I need to use service account. I am following documentation for two-legged OAuth (https://developers.google.com/identity/protocols/OAuth2ServiceAccount) and implementing REST client in Powershell
- 在 Google 管理控制台中启用 API 访问
- 已创建服务帐户并下载 P12 凭据.该帐号在 Cloud Console 中被授予多个组织范围的角色:浏览器、安全审核者、组织查看者 - 以便测试各种场景
- 域范围的权限在管理控制台中授予,API 范围为 https://www.googleapis.com/auth/admin.directory.user
Powershell 代码:
Powershell code:
# Forming the JWT claim set
$cert = Get-PfxCertificate -FilePath "c:psGAdminapiaccess-123456.p12" -Password (ConvertTo-SecureString "notasecret" -AsPlainText -Force)
$now = (Get-Date).ToUniversalTime()
$createDate = [Math]::Floor([decimal](Get-Date($now) -UFormat "%s"))
$expiryDate = [Math]::Floor([decimal](Get-Date($now.AddHours(1)) -UFormat "%s"))
$rawclaims = [Ordered]@{
iss = "p12service@apiaccess-123456.iam.gserviceaccount.com"
scope = "https://www.googleapis.com/auth/admin.directory.user"
aud = "https://www.googleapis.com/oauth2/v4/token"
iat = $createDate
exp = $expiryDate
} | ConvertTo-Json
# Encoding the JWT claim set
$jwt = New-Jwt -PayloadJson $rawclaims -Cert $cert -Verbose
# Making the access token request
$apiendpoint = "https://www.googleapis.com/oauth2/v4/token"
$splat = @{
Method = "POST"
Uri = $apiendpoint
ContentType = "application/x-www-form-urlencoded"
Body = "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=$jwt"
}
$res = Invoke-WebRequest @splat -Verbose
$accesstoken = ($res.content | ConvertFrom-Json).access_token
# Calling Google APIs - list of users
$usersapiendpoint = "https://www.googleapis.com/admin/directory/v1/users?list&customer=my_customer&domain=mydomain.com.au"
$splat = @{
Method = "GET"
Uri = $usersapiendpoint
Headers = @{authorization = "Bearer $accesstoken"}
}
$userlistres = Invoke-WebRequest @splat -Verbose
这会导致错误:
代码 403,无权访问此资源/api"
调用其他 API 有效.我需要做什么才能启用对 Directory API 的编程访问?我是否缺少服务帐户/SDK 访问权限的配置步骤?
Calling other APIs works. What do I need to do to enable programmatic access to the Directory API? Am I missing a configuration step for the service account/SDK access?
推荐答案
成功了!域范围的授权和模拟($rawclaims 中的 sub = "user@example.com" 条目)是必要且正确的.
Got this working! The domain-wide authority delegation and impersonation (a sub = "user@example.com" entry in the $rawclaims) were necessary and correct.
问题是通过域范围委派授予服务帐户的权限与我的声明中请求的权限不匹配(我有几个):
The problem was that there was a mismatch between the privileges granted to the service account through the domain-wide delegation, and those requested in my claim (I had several):
scope = "https://www.googleapis.com/auth/admin.directory.user https://www.googleapis.com/auth/iam https://www.googleapis.com/auth/云平台"
一旦声明与授予的权限匹配,我就收到了我的令牌.
Once claims matched granted privileges, I received my tokens.
这篇关于使用服务帐号访问 G Suite Admin SDK的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,WP2