I am using Google Directory API .NET Client to fetch a list of roles in a domain ().

I use a service account to authenticate on behalf of a user to create the Directory Service. Here is my code:

var initializer = new BaseClientService.Initializer
{
    ApplicationName = "GoogleConnector",
    HttpClientInitializer = new ServiceAccountCredential(
        new ServiceAccountCredential.Initializer(connectionDetails.ClientEmail) { User = connectionDetails.UserId, Scopes = scopes }.FromPrivateKey(connectionDetails.PrivateKey)
    )
};

var service = new DirectoryService(initializer);
var roles = await service.Roles.List("my_customer").ExecuteAsync();

Now, it works fine without any issues when the user being used for impersonation has a Super Admin role assigned to it. However, providing a Super Admin role to this user is not feasible. When I remove the Super Admin role, assign the following roles:

1. User Management
2. Groups Reader
3. Service Admin

Also, the next request scopes have been added:

• .directory.rolemanagement
• .directory.rolemanagement.readonly

The api starts failing with the below error:

Not Authorized to access this resource/
api [403] Errors [ Message[Not Authorized to access this resource/api] Location[ - ] Reason[forbidden] Domain[global] ]

EDIT (after the comment about missing delegation to a domain user)

I have provided domain-wide delegation to the client application (since I am using a service account, following the guide) with all the required scopes:

Also, all other API works fine. I am using groups.list and users.list methods without any issues. Those return the results as usual.

The issue only is with the roles.list method.

Any help is appreciated.

I am using Google Directory API .NET Client to fetch a list of roles in a domain (https://developers.google/admin-sdk/directory/reference/rest/v1/roles/list).

I use a service account to authenticate on behalf of a user to create the Directory Service. Here is my code:

var initializer = new BaseClientService.Initializer
{
    ApplicationName = "GoogleConnector",
    HttpClientInitializer = new ServiceAccountCredential(
        new ServiceAccountCredential.Initializer(connectionDetails.ClientEmail) { User = connectionDetails.UserId, Scopes = scopes }.FromPrivateKey(connectionDetails.PrivateKey)
    )
};

var service = new DirectoryService(initializer);
var roles = await service.Roles.List("my_customer").ExecuteAsync();

Now, it works fine without any issues when the user being used for impersonation has a Super Admin role assigned to it. However, providing a Super Admin role to this user is not feasible. When I remove the Super Admin role, assign the following roles:

1. User Management
2. Groups Reader
3. Service Admin

Also, the next request scopes have been added:

• https://www.googleapis/auth/admin.directory.rolemanagement
• https://www.googleapis/auth/admin.directory.rolemanagement.readonly

The api starts failing with the below error:

Not Authorized to access this resource/
api [403] Errors [ Message[Not Authorized to access this resource/api] Location[ - ] Reason[forbidden] Domain[global] ]

EDIT (after the comment about missing delegation to a domain user)

I have provided domain-wide delegation to the client application (since I am using a service account, following the guide) with all the required scopes:

Also, all other API works fine. I am using groups.list and users.list methods without any issues. Those return the results as usual.

The issue only is with the roles.list method.

Any help is appreciated.

• c#
• google-api
• google-workspace
• google-admin-sdk
• google-api-dotnet-client

• 1 Can you share in your post the scopes that you used? May I confirm if you used these two: https://www.googleapis/auth/admin.directory.rolemanagement and https://www.googleapis/auth/admin.directory.rolemanagement.readonly (Based from the article)? – Gyul Commented Nov 20, 2024 at 17:29
• 1 Thank you @Gyul. Those scopes have been added. I will include it in my question. – Nolik Commented Nov 21, 2024 at 9:11
• 1 You are missing delegation to a domain user – Linda Lawton - DaImTo Commented Nov 21, 2024 at 19:59
• Thx, @LindaLawton-DaImTo, I've tried it (but unfortunately the result is the same =/). The original post has been updated. – Nolik Commented Nov 22, 2024 at 11:18
• Try the sample i posted – Linda Lawton - DaImTo Commented Nov 22, 2024 at 16:18

1 Answer 1

You need to pass the full credentials.json as well as an admin user with access. This is my sample for creating a user you should just be able to change the scope and the method it calls.

using Google.Apis.Auth.OAuth2;
using Google.Apis.Admin.Directory.directory_v1;
using Google.Apis.Services;

Console.WriteLine("Hello, Google Calendar Workspace sample!");

var scopes = new[] { DirectoryService.Scope.AdminDirectoryUser };

const string workspaceAdmin = "[email protected]";

const string credentials = @"C:\Development\Credentials\workspaceserviceaccount.json";

var credential = GoogleCredential.FromFile(credentials).CreateScoped(scopes).CreateWithUser(workspaceAdmin);

var services = new DirectoryService(new BaseClientService.Initializer()
{
    HttpClientInitializer = credential,
});

var request = services.Users.List();
request.Customer = "my_customer";
request.MaxResults = 10;
request.OrderBy = UsersResource.ListRequest.OrderByEnum.Email;
    
var results = request.Execute();

var users = results.UsersValue;

if (users.Count == 0)
{
    Console.WriteLine("No Users");
    return;
}

Console.WriteLine("Users:");
foreach (var user in users)
{
    Console.WriteLine($"{user.PrimaryEmail} ({user.Name.FullName})");
}