Please I need to retrieve group list for a given user account, the only solution I found is to use google-admin-sdk, but unfortuantly it needs to have an admin account, but for me I have only a free gmail.com account, when i use it I get Not Authorized to access this resource/api.
So my question now is :
Is it mandatory to have an admin account for a specific domain to use this
api.
Can I get an admin account from my gmail.com account.
Thank you for your help in advance.
Answer:
In order to use groups.list (part of Google Workspace Admin SDK), you need to have a Google Workspace account.
Any Workspace account in your domain that has been granted Group privileges can list groups in that domain using this API.
Reference:
Group privileges
Related
Consider this scenario:
I have two domains: domain1.net and domain2.net.
I have GCP enabled on domain1.net and created a Service Account here that has Domain-Wide Delegation Enabled.
The CLIENT ID from this Service Account is configured on domain1.net GSuite Admin Console as domain wide delegation and has the following OAuth2 scopes enabled:
SCOPES = [
'https://www.googleapis.com/auth/admin.directory.group',
'https://www.googleapis.com/auth/admin.directory.group.readonly',
'https://www.googleapis.com/auth/admin.directory.group.member',
'https://www.googleapis.com/auth/admin.directory.group.member.readonly',
]
I have a Cloud Function that uses the Service Account's rights to create a OAuth2 JWT, to be able to access GSuite domain1.net APIs. Code Sample Here.
The user to impersonate in GSuite has Group Admin Roles to be able to create GSuite Groups.
All this configuration works perfectly, I am able to create Groups in domain1.net using a Cloud Funtion in domain1.net GCP env.
But if I use the same Service Account CLIENT ID in domain2.net give the same OAuth2 Scopes, create an user with Group Admin Roles and use this user to create new groups, it doesn't work.
Error:
error got with oauth2client==4.1.3
oauth2client.client.HttpAccessTokenRefreshError: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.
error got with google.oauth2:
googleapiclient.errors.HttpError: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.
Now the above error code: unauthorized_client found in this documentation specifies that the CLIENT ID is incorrect and I've might have used the Service Account's email, which I did not.
Is Domain-Wide Delegation cross GSuite organization(different domain) capable?
I know that it works in any sub-domain of domain1.net but not in any other GSuite organization(different domain like domain2.net).
I have good news for you (This won't answer your question but will solve your problem)!
You won't need to impersonate an admin anymore to create groups. Google just last week announced that the Cloud Identity Groups API will now allow for Group Management via API w/o impersonating an admin.
Take a look at these update blogs:
https://gsuiteupdates.googleblog.com/2020/08/use-service-accounts-google-groups-without-domain-wide-delegation.html
https://gsuiteupdates.googleblog.com/2020/08/service-accounts-in-google-groups-beta.html
https://gsuiteupdates.googleblog.com/2020/08/new-api-cloud-identity-groups-google.html
I can't help you with the actual question, tho; that's just not my territory.
A service account belongs to the application for which you created it. If this application belongs to domain1.net, the service account will be able to impersonate accounts from domain1.net, not from any other domain.
If you want a service account to impersonate users from domain2.net, create another service account on a GCP project that belongs to domain2.net.
Reference:
Using OAuth 2.0 for Server to Server Applications
When I am using the following code:
cf create-org (ORG_name)
I am getting an error:
You are not authorized to perform the requested action
In many distributions of Cloud Foundry, an org represents an entire company or account so you likely won't be able to create another org without signing up for another account. (See MindSphere documentation)
Orgs and spaces are used to control user permissions and organize resources such as apps and services. Unless you are trying to create a space that you don't want your org manager to see, you might just create a new space instead.
Actually I have used to push my application to mindsphere, but it was not done because i used normal user account. It need developer account to push the account.
If this is a Developer tenant, then you will already have an org for the tenant, which has the same name as the tenant. You can't create another org. By default, only the tenant owner is in the OrgManager role which can access the org.
Either:
Get the tenant owner to add you to the OrgManager role
Use MindSphere Settings to create Service Credentials for Cloud Foundry. This will allow you to login to cf using those credentials, access the cf org and add your real user to the org
Using Google Cloud, there exists a BigQuery View table that queries two projects.
However, on the project where the view is located, we wish to run a query against it from Airflow/Composer. Currently it fails with a 403.
AFAIK it will use the default composer service account - however it doesn't have access to the 2nd project used in the sql of the view.
How do I give composer's service account access to the second project?
Think about a service account like a user account: you have a user email that you authorize on different project and component. Exactly the same thing with the service account email.
The service account belongs to a project. An user account belongs to a domain name/organisation. No real difference at the end.
So, you can use a service account email like any user accounts:
Grant authorization in any project
Add it in Google Groups
Even grant it viewer or editor role on GSuite document (Sheet, Docs, Slides,...) to allow it to access and to read/update these document!! Like any users!
EDIT
With Airflow, you can defined connexions and a default connexion. You can use this connexion in your DAG and thus use the service account that you want.
I think you have to add the service account into project IAM.
When using GCP with cloud identity, we have a special a group which includes all users of the organization (all from cloud identity directory). It is perfect to give access to all users in the projects.
However, it doesn't include the service accounts in projects.
My question is, is there any special group to include all service account which exists in the organisation and in their projects?
Describing the use case:
We have some agents which we need to install in our compute engine instances. So, we would like to store the installers in a central bucket, and give permission in that bucket to all service accounts in our organization (with a special group permission, not handle all individual service account in the bucket...).
Thanks.
Regards,
Vassco Silva
You can use Google groups which uses a collection of user and/or service accounts. Once this is done, add the service accounts to the Google group and then assign the necessary IAM roles to the Google group.
A Google group of which I'm Manager have been granted certain permissions to access certain BigQuery tables. Effectively all user in the group can access to those tables using their personal credentials.
I would like to share those permissions with a service account and access the tables using service account credentials.
Is this possible? How to configure it?
A service account is generally used for Server to Server communication (between applications). With that in mind, a service account has associated an email address just like the ones associated to your personnel. So, you can assign roles/permissions to the service accounts using its email just like you assigned to your group.
I hope that the following steps help you in some manner:
Create a service account.
Assign predefined BigQuery roles (Admin, DataEditor, User, etc).
Download its json file which contains the credentials.
Use those credentials to authenticate and authorize your application.
To add a specific permission (owner, edit or view) on a specific dataset you can use its service account email.