1. 技术文章
  2. Accessing Google Reseller API using Service Accounts

Accessing Google Reseller API using Service Accounts

倾然丶 夕夏残阳落幕 提交于 2019-12-24 03:05:54

问题


We are having issues accessing the reseller api using service accounts. The example with client secrets work well, but we would need to deploy this in k8s (Kubernetes Engine) without the need to refresh the oauth session on a recurring basis (especially doing this once, as it is kinda hard in a docker container).

While there is a lot of documentation on how to do this with python we could not find any way of getting access using a service account.

We tried two accounts, the default compute engine one and one created directly for our use case. Both got the reseller scope in G Suite.

    https://www.googleapis.com/auth/apps.order,
    https://www.googleapis.com/auth/admin.directory.user,
    https://www.googleapis.com/auth/siteverification,

We keep getting "googleapi: Error 403: Authenticated user is not authorized to perform this action., insufficientPermissions" errors though when using

    client, err = google.DefaultClient(ctx, reseller.AppsOrderScope)
    if err != nil {
        log.Fatal("creating oauth client failed", zap.Error(err))
    }
    subs, err := client.Subscriptions.List().Do()
    if err != nil {
        log.Fatal("listing subscriptions failed", zap.Error(err))
    }

I read on a post on StackOverflow, that the Reseller API requires user impersonation but searching on this throughout Google and the oauth2 and client lib repos did not result in a way to do this. Python does this like described in the End-to-End Tutorial

    credentials = ServiceAccountCredentials.from_json_keyfile_name(
        JSON_PRIVATE_KEY_FILE, 
    OAUTH2_SCOPES).create_delegated(RESELLER_ADMIN_USER)

but for Go i could not find any documented way of doing this.


回答1:


So few points here:

  • Reseller API only requires impersonation / domain-wide delegation when using a service account. In other words, the service account itself has no rights to call the API directly but it does have the ability to impersonate a reseller user (e.g. admin@reseller.example.com or such) who has rights to call the Reseller API.
  • You may be able to use regular 3-legged OAuth instead of a service account. You just need to make sure you request offline access so that you get a refresh token that is long lived.
  • Impersonation / domain-wide delegation is not compatible with the default service accounts built-in to AppEngine and ComputeEngine. You must use a service account you created in your API project.

See if the samples Google provides get you where you need to be.




回答2:


The problem was resolved by using a different config and then setting the jwt.Subject which apparently does impersonation:

const envVar = "GOOGLE_APPLICATION_CREDENTIALS"
if filename := os.Getenv(envVar); filename != "" {
    serviceAccount, err := ioutil.ReadFile(filename)
    if err != nil {
        log.Fatal("creating oauth client failed", zap.Error(err))
    }
    config, err := google.JWTConfigFromJSON(serviceAccount,
        reseller.AppsOrderScope,
    )

    config.Subject = *impersonationUser // like user@google.com
    client = config.Client(ctx)
}


来源:https://stackoverflow.com/questions/50029586/accessing-google-reseller-api-using-service-accounts

标签
go
google-admin-sdk
google-reseller-api
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!