make admin_user optional

README.md

@@ -75,7 +75,21 @@ This tool requires the following OAuth2 scopes to actually perform changes:
 See the section on preparing a service account for information on how to grant a
 service account those scopes on your domain.
 
-## Preparing a service account
+## Preparing a service account (Admin Roles)
+
+Google have [updated the API](https://gsuiteupdates.googleblog.com/2020/08/use-service-accounts-google-groups-without-domain-wide-delegation.html)
+to allow service accounts direct access to the API without needing domain-wide delegation.
+
+1. Create a service account in the Google Console for this script.
+2. Generate and download JSON credentials for the service account.
+3. In the GSuite admin panel, go to "Account" > "Admin Roles" and create a new
+custom role with the following Admin **API** privileges (not Console privileges):
+   * Users - Create, Read, Update and Update Custom Attributes
+   * Groups - All privileges
+4. Add the service account to the role using the "Assign service accounts" option
+when viewing the custom role's admins
+
+## Preparing a service account (Domain-wide Delegation)
 
 This tool assumes it will be acting as a service account user. It will use this
 service account user to then act on behalf of an admin user in GSuite. To
@@ -88,8 +102,8 @@ prepare such a service account user:
    Delegation". Click "Save" to apply the changes.
 4. Hover over the "?" symbol next to the generated client id and click "view
    client". Copy the Client ID from the popup panel.
-5. In the GSuite admin panel, go to "Security Settings" > "Advanced Settings" >
-   "Manage API client access".
+5. In the GSuite admin panel, go to "Security Settings" > "API Controls" >
+   "Manage Domain-Wide Delegation", and click "Add new".
 6. Paste in the service account Client ID as "Client Name" and add a
    comma-separated list of scopes. See the section on required API scopes.
 

configuration-example.yaml

@@ -190,10 +190,14 @@ google_domain:
   # Name of the domain.
   name: 'example.com'
 
-  # Username within the GSuite for the user which has administration rights.
+  # If using a service account with Domain-Wide Delegation, set to the username
+  # within the GSuite for the user which has administration rights.
   # Should be an e-mail style name. E.g. "super-admin@example.com". The service
   # account credentials specified in the google_api.auth section are used to
   # perform admin actions as this user.
+  # If not using Domain-Wide Delegation (i.e. using an Admin Role with the
+  # service account as a member), use null.
+  # Default: null
   admin_user: 'super-admin@example.com'
 
   # Secondary domain or domain alias for groups. If null, the value of "name"

gsuitesync/gapidomain.py

@@ -17,10 +17,14 @@ class Configuration(ConfigurationDataclassMixin):
     # Name of the domain. (E.g. "example.com".)
     name: str
 
-    # Username within the GSuite for the user which has administration rights. Should be an e-mail
-    # style name. E.g. "super-admin@example.com". The service account credentials specified in the
-    # google_api.auth section are used to perform admin actions as this user.
-    admin_user: str
+    # If using a service account with Domain-Wide Delegation, set to the username
+    # within the GSuite for the user which has administration rights.
+    # Should be an e-mail style name. E.g. "super-admin@example.com". The service
+    # account credentials specified in the google_api.auth section are used to
+    # perform admin actions as this user.
+    # If not using Domain-Wide Delegation (i.e. using an Admin Role with the
+    # service account as a member), use null.
+    admin_user: str = None
 
     # Secondary domain or domain alias for groups. If None, the value of "name" is used.
     # Default: None

gsuitesync/sync.py

@@ -107,8 +107,10 @@ def sync(configuration, *, read_only=True):
     creds = (
         gapi_auth_config.load_credentials(read_only=read_only)
         .with_scopes(READ_ONLY_SCOPES + ([] if read_only else WRITE_SCOPES))
-        .with_subject(gapi_domain_config.admin_user)
     )
+    # Use admin_user if using service account with Domain-Wide Delegation
+    if gapi_domain_config.admin_user:
+        creds = creds.with_subject(gapi_domain_config.admin_user)
 
     # Secondary domain for Google groups that come from Lookup groups
     groups_domain = (