I want to download mailbox by using the Admin SDK, but I can't get it working. I can't find what's the Scope I need to define. I'm using a service account.
In order to prepare a download, you have to do a POST request to https://apps-apis.google.com/a/feeds/compliance/audit/mail/export/{domain name}/{source user name}, but there is no audit.mail scope or something like that.
Here is my request:
<?php
$client = new \Google_Client();
$cred = new \Google_Auth_AssertionCredentials(
'***@developer.gserviceaccount.com',
array(
'https://apps-apis.google.com/a/feeds/compliance/audit',
),
file_get_contents($path)
);
$client->setAssertionCredentials($cred);
if($client->getAuth()->isAccessTokenExpired()) {
$client->getAuth()->refreshTokenWithAssertion($cred);
}
$url = "https://apps-apis.google.com/a/feeds/compliance/audit/publickey/" . $domain;
$req = new \Google_Http_Request($url, 'POST');
$req->setPostBody($xml);
$token = json_decode($client->getAccessToken(), true);
$req->setRequestHeaders(
array(
'Content-Type'=> 'application/atom+xml; charset=utf-8',
'Authorization'=> 'Bearer ' . $token['access_token'] . '',
)
);?>
But I get a 403 error: You are not authorized to access this API..
What's the best way to download a mailbox using the PHP API with a service account?
The email audit api scope is: https://apps-apis.google.com/a/feeds/compliance/audit/
Did you grant third party client access in your admin console for your service account with the appropriate scope? The scope setting have to be set within your code and also in admin console.
Here is complete instruction on how to correctly set up a service account (the example is in drive, so you should change the scope for email audit api in your case)
https://developers.google.com/drive/web/delegation
Make sure you complete the steps for 'Delegate domain-wide authority to your service account'.
Finally, if you take a look at the PHP code sample, you can see that you will need the scope, the user you are trying to impersonate and your service account.