google-auth-library-ruby: Service account with subject unauthorized

@chris2x - Got it! Thanks for the response. For those that maybe stumble upon this, I eventually figured out my problem.

When I was authorizing the API client in Admin console, I was entering the “Service account ID”, in my case: “REDACTED-320@gsuite-REDACTED.iam.gserviceaccount.com”. Although this appears to work - the correct numerical ID appears (as shown in screenshot) - I was getting 401 errors.

However, when I entered the “client_id” from my private key file, in my case a number ending in 0381, and used the same scope, THEN I could authenticate successfully.

It’s frustrating that entering the service account id didn’t throw an error.

You’re welcome, I’m happy to try and render assistance. I’m not an actual contibutor though, and unfortunately have not really been through the codebase yet. By the way, you can use markdown to get your code-blocks more readable by pasting your code between three backticks: ```

Your error message is the exact same I got for three days before overcoming this obstacle. In my case it was because I had not set the sub property to an email that’s an actual super admin in the Google organization.

My configuration: In console.developers.google.com, logged in as an admin for the organization

• Enable the Admin SDK
• In IAM & Admin area, create a service account. If you don’t have a project yet, the UI should guide you through creating one. Remember to check the Domain-wide Delegation on for the service account. After creating, copy down the Service Account ID visible in the Service Accounts view.
• In Apis & Services area, select credentials and create service account key for the service account you just created. Download the private key file.

In admin.google.com

• Security - Api Reference: Check the “Enable API access” checkbox
• Security - Advanced settings - Authentication: Follow the “Manage API client access link”. In the next view, the client name is the Service Account ID you copied down earlier. The scope is the scope you’re using in your code.

Those are the configuration steps I’ve had to take to get this gem working. You don’t have to authorize a real user email with the service account, since the service account is the one that pretends to be someone else. There’s an article on how they work at: https://cloud.google.com/iam/docs/understanding-service-accounts

Earth to Google. We love your products and APIs and want them to prevail. Please update your docs and UI for ManageOauthClients (AdminHome#OGX:ManageOauthClients).

Example: www.example.com
How could anybody misinterpret this as anything but a string of digits?

Given how popular Google APIs are, this is likely costing countless hours and headaches while disillusioning thousands of developers globally every month.

It’s been over a year since @hinchy spelled this one out. A satisfactory solution would be as little as returning an error when an invalid “Client Name” is submitted. For extra credit, the UI and docs could be updated to be more consistent.

Thanks in advance!

The error message would suggest that maybe you have not authorized your service account for the scope? Please check your Admin console -> security -> advanced settings and make sure your service account id has your scopes authorized.

Thanks @salunn. Took me some time too and documented with some keywords here now: https://medium.com/@yclian/gotchas-api-access-to-google-admin-sdk-4cf5ed49540

I resolved my issue by removing all others types of credentials for the app in question (no oauth, just service account).

I was running into issues using the service account as well but I got it working with this bit of code. Please note that I was using the google-api-ruby-client to insert new users.

require 'google/apis/admin_directory_v1' . # this has to be required before you create the authorizer

authorizer = Google::Auth::ServiceAccountCredentials.make_creds(
  json_key_io: File.open(key_file_location),
  scope: 'https://www.googleapis.com/auth/admin.directory.user'
)
authorizer.sub = acting_admin_email 
authorizer.fetch_access_token!
directory = Google::Apis::AdminDirectoryV1::DirectoryService.new
directory.authorization = authorizer

# you have to wrap the user_params into the google user object otherwise the request will fail from # a bad json format

directory.insert_user(Google::Apis::AdminDirectoryV1::User.new(user_params))

# for reference my user params were structured like this
def user_params
    {
      kind: "admin#directory#user", 
      agreed_to_terms: true,
      is_admin: false,
      primary_email: primay_email,
      password: password,
      name: {
        full_name: full_name,
        family_name: last_name,
        given_name: first_name
      },
      phones: [
        {
          primary: true,
          type: "work",
          value: phone
        }
      ],
    }
  end

The only answer you need to save 4 hours troubleshooting time https://github.com/googleapis/google-auth-library-ruby/issues/123#issuecomment-371745457

I had an issue when I try to switch app from OAuth 2.0 Client IDs to Service Accounts. The problem was exactly that not all Scopes requested from Application were added into allowed scopes for Google Workspace Admin console.

Thank you @salunn!