FAQ
| This is a
LIVE
service |
Changelog
Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
D
Directory Synchronisation Tool
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Iterations
Wiki
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Test cases
Artifacts
Deploy
Releases
Package Registry
Container Registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Service Desk
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Admin message
GitLab has been upgraded. See what's new in the
Changelog
.
Show more breadcrumbs
Information Services
DevOps
Google WorkSpace (aka G-Suite)
Directory Synchronisation Tool
Commits
63dd22b3
Commit
63dd22b3
authored
4 years ago
by
Robin Goodall
Browse files
Options
Downloads
Patches
Plain Diff
make admin_user optional
parent
efbfbbc9
No related branches found
Branches containing commit
No related tags found
1 merge request
!12
Admin user optional
Pipeline
#47016
passed
4 years ago
Stage: build
Stage: test
Changes
4
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
README.md
+17
-3
17 additions, 3 deletions
README.md
configuration-example.yaml
+5
-1
5 additions, 1 deletion
configuration-example.yaml
gsuitesync/gapidomain.py
+8
-4
8 additions, 4 deletions
gsuitesync/gapidomain.py
gsuitesync/sync.py
+3
-1
3 additions, 1 deletion
gsuitesync/sync.py
with
33 additions
and
9 deletions
README.md
+
17
−
3
View file @
63dd22b3
...
...
@@ -75,7 +75,21 @@ This tool requires the following OAuth2 scopes to actually perform changes:
See the section on preparing a service account for information on how to grant a
service account those scopes on your domain.
## Preparing a service account
## Preparing a service account (Admin Roles)
Google have
[
updated the API
](
https://gsuiteupdates.googleblog.com/2020/08/use-service-accounts-google-groups-without-domain-wide-delegation.html
)
to allow service accounts direct access to the API without needing domain-wide delegation.
1.
Create a service account in the Google Console for this script.
2.
Generate and download JSON credentials for the service account.
3.
In the GSuite admin panel, go to "Account" > "Admin Roles" and create a new
custom role with the following Admin
**API**
privileges (not Console privileges):
*
Users - Create, Read, Update and Update Custom Attributes
*
Groups - All privileges
4.
Add the service account to the role using the "Assign service accounts" option
when viewing the custom role's admins
## Preparing a service account (Domain-wide Delegation)
This tool assumes it will be acting as a service account user. It will use this
service account user to then act on behalf of an admin user in GSuite. To
...
...
@@ -88,8 +102,8 @@ prepare such a service account user:
Delegation". Click "Save" to apply the changes.
4.
Hover over the "?" symbol next to the generated client id and click "view
client". Copy the Client ID from the popup panel.
5.
In the GSuite admin panel, go to "Security Settings" > "A
dvanced Setting
s" >
"Manage
API client access
".
5.
In the GSuite admin panel, go to "Security Settings" > "A
PI Control
s" >
"Manage
Domain-Wide Delegation", and click "Add new
".
6.
Paste in the service account Client ID as "Client Name" and add a
comma-separated list of scopes. See the section on required API scopes.
...
...
This diff is collapsed.
Click to expand it.
configuration-example.yaml
+
5
−
1
View file @
63dd22b3
...
...
@@ -190,10 +190,14 @@ google_domain:
# Name of the domain.
name
:
'
example.com'
# Username within the GSuite for the user which has administration rights.
# If using a service account with Domain-Wide Delegation, set to the username
# within the GSuite for the user which has administration rights.
# Should be an e-mail style name. E.g. "super-admin@example.com". The service
# account credentials specified in the google_api.auth section are used to
# perform admin actions as this user.
# If not using Domain-Wide Delegation (i.e. using an Admin Role with the
# service account as a member), use null.
# Default: null
admin_user
:
'
super-admin@example.com'
# Secondary domain or domain alias for groups. If null, the value of "name"
...
...
This diff is collapsed.
Click to expand it.
gsuitesync/gapidomain.py
+
8
−
4
View file @
63dd22b3
...
...
@@ -17,10 +17,14 @@ class Configuration(ConfigurationDataclassMixin):
# Name of the domain. (E.g. "example.com".)
name
:
str
# Username within the GSuite for the user which has administration rights. Should be an e-mail
# style name. E.g. "super-admin@example.com". The service account credentials specified in the
# google_api.auth section are used to perform admin actions as this user.
admin_user
:
str
# If using a service account with Domain-Wide Delegation, set to the username
# within the GSuite for the user which has administration rights.
# Should be an e-mail style name. E.g. "super-admin@example.com". The service
# account credentials specified in the google_api.auth section are used to
# perform admin actions as this user.
# If not using Domain-Wide Delegation (i.e. using an Admin Role with the
# service account as a member), use null.
admin_user
:
str
=
None
# Secondary domain or domain alias for groups. If None, the value of "name" is used.
# Default: None
...
...
This diff is collapsed.
Click to expand it.
gsuitesync/sync.py
+
3
−
1
View file @
63dd22b3
...
...
@@ -107,8 +107,10 @@ def sync(configuration, *, read_only=True):
creds
=
(
gapi_auth_config
.
load_credentials
(
read_only
=
read_only
)
.
with_scopes
(
READ_ONLY_SCOPES
+
([]
if
read_only
else
WRITE_SCOPES
))
.
with_subject
(
gapi_domain_config
.
admin_user
)
)
# Use admin_user if using service account with Domain-Wide Delegation
if
gapi_domain_config
.
admin_user
:
creds
=
creds
.
with_subject
(
gapi_domain_config
.
admin_user
)
# Secondary domain for Google groups that come from Lookup groups
groups_domain
=
(
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment