FAQ | This is a LIVE service | Changelog

Skip to content
Snippets Groups Projects
Commit 63dd22b3 authored by Robin Goodall's avatar Robin Goodall :speech_balloon:
Browse files

make admin_user optional

parent efbfbbc9
No related branches found
No related tags found
1 merge request!12Admin user optional
Pipeline #47016 passed
......@@ -75,7 +75,21 @@ This tool requires the following OAuth2 scopes to actually perform changes:
See the section on preparing a service account for information on how to grant a
service account those scopes on your domain.
## Preparing a service account
## Preparing a service account (Admin Roles)
Google have [updated the API](https://gsuiteupdates.googleblog.com/2020/08/use-service-accounts-google-groups-without-domain-wide-delegation.html)
to allow service accounts direct access to the API without needing domain-wide delegation.
1. Create a service account in the Google Console for this script.
2. Generate and download JSON credentials for the service account.
3. In the GSuite admin panel, go to "Account" > "Admin Roles" and create a new
custom role with the following Admin **API** privileges (not Console privileges):
* Users - Create, Read, Update and Update Custom Attributes
* Groups - All privileges
4. Add the service account to the role using the "Assign service accounts" option
when viewing the custom role's admins
## Preparing a service account (Domain-wide Delegation)
This tool assumes it will be acting as a service account user. It will use this
service account user to then act on behalf of an admin user in GSuite. To
......@@ -88,8 +102,8 @@ prepare such a service account user:
Delegation". Click "Save" to apply the changes.
4. Hover over the "?" symbol next to the generated client id and click "view
client". Copy the Client ID from the popup panel.
5. In the GSuite admin panel, go to "Security Settings" > "Advanced Settings" >
"Manage API client access".
5. In the GSuite admin panel, go to "Security Settings" > "API Controls" >
"Manage Domain-Wide Delegation", and click "Add new".
6. Paste in the service account Client ID as "Client Name" and add a
comma-separated list of scopes. See the section on required API scopes.
......
......@@ -190,10 +190,14 @@ google_domain:
# Name of the domain.
name: 'example.com'
# Username within the GSuite for the user which has administration rights.
# If using a service account with Domain-Wide Delegation, set to the username
# within the GSuite for the user which has administration rights.
# Should be an e-mail style name. E.g. "super-admin@example.com". The service
# account credentials specified in the google_api.auth section are used to
# perform admin actions as this user.
# If not using Domain-Wide Delegation (i.e. using an Admin Role with the
# service account as a member), use null.
# Default: null
admin_user: 'super-admin@example.com'
# Secondary domain or domain alias for groups. If null, the value of "name"
......
......@@ -17,10 +17,14 @@ class Configuration(ConfigurationDataclassMixin):
# Name of the domain. (E.g. "example.com".)
name: str
# Username within the GSuite for the user which has administration rights. Should be an e-mail
# style name. E.g. "super-admin@example.com". The service account credentials specified in the
# google_api.auth section are used to perform admin actions as this user.
admin_user: str
# If using a service account with Domain-Wide Delegation, set to the username
# within the GSuite for the user which has administration rights.
# Should be an e-mail style name. E.g. "super-admin@example.com". The service
# account credentials specified in the google_api.auth section are used to
# perform admin actions as this user.
# If not using Domain-Wide Delegation (i.e. using an Admin Role with the
# service account as a member), use null.
admin_user: str = None
# Secondary domain or domain alias for groups. If None, the value of "name" is used.
# Default: None
......
......@@ -107,8 +107,10 @@ def sync(configuration, *, read_only=True):
creds = (
gapi_auth_config.load_credentials(read_only=read_only)
.with_scopes(READ_ONLY_SCOPES + ([] if read_only else WRITE_SCOPES))
.with_subject(gapi_domain_config.admin_user)
)
# Use admin_user if using service account with Domain-Wide Delegation
if gapi_domain_config.admin_user:
creds = creds.with_subject(gapi_domain_config.admin_user)
# Secondary domain for Google groups that come from Lookup groups
groups_domain = (
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment