Trying to access GSuite Admin account users gives '401 - Login required'

Question

I have setup a new project to access my GSuite account users. When I run my code it gives 401 - 'Login required'.

I have granted 'Domain wide authority' to the account with the required scopes.

The code that I am using is:

def authorize
  authorizer = Google::Auth::ServiceAccountCredentials.make_creds(
    json_key_io: File.open('path-to-file.json'),
    scope: "https://www.googleapis.com/auth/admin.directory.user.readonly")
  authorizer.sub = 'GSuite admin email'
  authorizer.fetch_access_token!
end

service = Google::Apis::AdminDirectoryV1::DirectoryService.new
service.authorization = authorize
response = service.list_users

The project is setup on my personal google developer account.

Any ideas why this is happening and how I can fix it?

Answer 1

Are your running on windows? Do you have Ruby 2? I think you are using old code.

# Copyright 2018 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# [START admin_sdk_directory_quickstart]
require "google/apis/admin_directory_v1"
require "googleauth"
require "googleauth/stores/file_token_store"
require "fileutils"

OOB_URI = "urn:ietf:wg:oauth:2.0:oob".freeze
APPLICATION_NAME = "Directory API Ruby Quickstart".freeze
CREDENTIALS_PATH = "credentials.json".freeze
# The file token.yaml stores the user's access and refresh tokens, and is
# created automatically when the authorization flow completes for the first
# time.
TOKEN_PATH = "token.yaml".freeze
SCOPE = Google::Apis::AdminDirectoryV1::AUTH_ADMIN_DIRECTORY_USER_READONLY

##
# Ensure valid credentials, either by restoring from the saved credentials
# files or intitiating an OAuth2 authorization. If authorization is required,
# the user's default browser will be launched to approve the request.
#
# @return [Google::Auth::UserRefreshCredentials] OAuth2 credentials
def authorize
  client_id = Google::Auth::ClientId.from_file CREDENTIALS_PATH
  token_store = Google::Auth::Stores::FileTokenStore.new file: TOKEN_PATH
  authorizer = Google::Auth::UserAuthorizer.new client_id, SCOPE, token_store
  user_id = "default"
  credentials = authorizer.get_credentials user_id
  if credentials.nil?
    url = authorizer.get_authorization_url base_url: OOB_URI
    puts "Open the following URL in the browser and enter the " \
         "resulting code after authorization:\n" + url
    code = gets
    credentials = authorizer.get_and_store_credentials_from_code(
      user_id: user_id, code: code, base_url: OOB_URI
    )
  end
  credentials
end


# Initialize the API
service = Google::Apis::AdminDirectoryV1::DirectoryService.new
service.client_options.application_name = APPLICATION_NAME
service.authorization = authorize
# List the first 10 users in the domain
response = service.list_users(customer:    "my_customer",
                              max_results: 10,
                              order_by:    "email")
puts "Users:"
puts "No users found" if response.users.empty?
response.users.each { |user| puts "- #{user.primary_email} (#{user.name.full_name})" }
# [END admin_sdk_directory_quickstart]

link for code

Answer 2

I don't see list_users in the method list, but only a 'list'

What about such code:

require 'google/apis/admin_directory_v1'

authorizer = Google::Auth::ServiceAccountCredentials.make_creds(
  json_key_io: File.open(key_file_location),
  scope: 'https://www.googleapis.com/auth/admin.directory.user.readonly'
)

authorizer.sub = acting_admin_email 
authorizer.fetch_access_token!
directory_service = Google::Apis::AdminDirectoryV1::DirectoryService.new
directory_service.authorization = authorizer
user_list = directory_service.list

The changes are that the directory_service.authorization = authorizer and using list instead of user_list.