I need to list all users, using a service account with domain-wide delegation.
I got as far as this, which works perfectly:
from googleapiclient import discovery
from google.oauth2 import service_account
credentials = service_account.Credentials.from_service_account_info(
service_account_info,
scopes=("https://www.googleapis.com/auth/admin.directory.user.readonly", ),
)
service = discovery.build(
'admin',
'directory_v1',
credentials=credentials.with_subject('[email protected]'),
)
users = service.users().list(customer='my_customer').execute()
Except in reality, I don’t know always the admin email, [email protected]
. And without the .with_subject('[email protected]')
, the API call always fails with:
service = discovery.build('admin', 'directory_v1', credentials=credentials) # <=== no with_subject()
users = service.users().list(customer='my_customer').execute()
HttpError: <HttpError 400 when requesting https://admin.googleapis.com/admin/directory/v1/users?customer=my_customer&alt=json returned "Invalid Input". Details: "[{'message': 'Invalid Input', 'domain': 'global', 'reason': 'invalid'}]">
I.e. the API returns 400: Invalid Input
.
How do I list users without knowing the users? How do I tell the google API “impersonate whichever user has access to the list users API”? Or how do I add that “list users” permission to the service account itself, if such thing exists?