Open
Description
Hello,
Apparently it's not possible to use short-lived credentials and access Workspace APIs at the same time. I'm able to get the token correctly, but then I get permissions denied even if the priviledge service account is correctly associated to the GW environment and with the proper APIs.
In fact, by using directly that service account, everything is working, which discards any problem on the configuration of the service account or the lack of permissions of workspace user.
Environment details
- Admin SDK
- OS type and version: Ubuntu 24.02
- Java version: 11
- Version(s): google-api-client 2.7.2
Steps to reproduce
- Configure a service account and connect it with the right scopes to Google Workspace (with domain-wide delegation)
- Configure a second service account without privileges, but just to request a short-lived token to the first service account as described here: https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#permissions-access
Code example
ServiceAccountCredentials callerCredentials = ServiceAccountCredentials.fromStream(new FileInputStream("/my/path/unpriviledge-service-account.json"));
callerCredentials = (ServiceAccountCredentials) callerCredentials.createScoped(scopes);
GoogleCredentials targetCredentials = ImpersonatedCredentials.newBuilder()
.setSourceCredentials(callerCredentials)
.setTargetPrincipal(privilegedServiceAccountEmail)
.setScopes(scopes)
.build()
.createDelegated(userWorkspace);
targetCredentials.refresh();
// Here I can print a valid token, but it's useless with Workspace
Directory directory = new Directory.Builder(GoogleNetHttpTransport.newTrustedTransport(), GWConnection.JSON_FACTORY, new HttpCredentialsAdapter(targetCredentials)).setApplicationName("myApp").build();
Directory.Users.List request = directory.users().list().setCustomer(customerId);
GQueryBuilder gq = new GQueryBuilder();
gq.emailIs(userWorkspace);
request.setQuery(gq.getQuery());
Users result = request.execute();The result I get is:
com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
GET https://admin.googleapis.com/admin/directory/v1/users?customer=XXXXX&query=email%3D'YYYYYY'
{
"code": 403,
"errors": [
{
"domain": "global",
"message": "Not Authorized to access this resource/api",
"reason": "forbidden"
}
],
"message": "Not Authorized to access this resource/api"
}
at com.google.api.client.googleapis.json.GoogleJsonResponseException.from(GoogleJsonResponseException.java:145) ~[google-api-client-2.7.2.jar:2.7.2]
at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:118) ~[google-api-client-2.7.2.jar:2.7.2]
at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:37) ~[google-api-client-2.7.2.jar:2.7.2]
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest$3.interceptResponse(AbstractGoogleClientRequest.java:479) ~[google-api-client-2.7.2.jar:2.7.2]
at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1111) ~[google-http-client-1.47.0.jar:1.47.0]
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:565) ~[google-api-client-2.7.2.jar:2.7.2]
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:506) ~[google-api-client-2.7.2.jar:2.7.2]
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:616) ~[google-api-client-2.7.2.jar:2.7.2]
Thanks for any hints!
Metadata
Metadata
Assignees
Labels
Moderately-important priority. Fix may not be included in next release.Moderately-important priority. Fix may not be included in next release.Error or flaw in code with unintended results or allowing sub-optimal usage patterns.Error or flaw in code with unintended results or allowing sub-optimal usage patterns.