Stuck Getting Started with GAM - Some scopes failed!
Schemetric
gam user <us...@domain.edu> check serviceaccount
myself and I get
User: <us...@domain.edu>
Scope: https://mail.google.com/ FAIL
Scope: https://www.googleapis.com/auth/activity FAIL
Scope: https://www.googleapis.com/auth/calendar FAIL
Scope: https://www.googleapis.com/auth/drive FAIL
Scope: https://www.googleapis.com/auth/gmail.settings.basic FAIL
Scope: https://www.googleapis.com/auth/gmail.settings.sharing FAIL
Scope: https://www.googleapis.com/auth/plus.me FAIL
I have added the following scopes for the service account specified following the above check as follows:
Email (Read/Write/Send) https://mail.google.com/
Calendar (Read-Write) https://www.googleapis.com/auth/calendar
Not sure why I'm failing for only the above scopes. Would it not fail for all scopes and not just a few?
I'm assuming this has everything to do with the several variations of the "client_secrets.json" files in my <user>/bin/gam directory.
Also, must our domain be verified in Google's Cloud Platform Console / API Manager / Credentials / Domain Verification for GAM to work? It is not currently verified there (or in the search console.
Thanks.
Jay Lee
--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/771aef4b-e3e5-465d-884f-3273d6d58a62%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Schemetric
Jay Lee
--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/50b0cdea-1f39-4d52-aee4-14713ec74ff4%40googlegroups.com.
Schemetric
Can you post the full output of the command? What scopes pass and which fail?
- One thing I still don't understand is how my domain user account gets associated with the service account that is created. I do see myself listed as the owner of the project in IAM & Admin.
- When initially creating credentials (just after creating the project and configuring consent, must I leave the default client name as "Other client 1" or can I change it to something like JADDISONGAM?
- In the attempt below, GAM was prompting me to grant scope access for the ones that failed to a particular "Client name" which, in this case, I could not find listed anywhere in the console.
- Is it possible to create a GAM project that is named something other than "GAM Project"? I have created several "GAM Project" projects in my attempts to get this to work.
- Is it possible to create the project and OAuth service account using the Google GUI and then point GAM to that project and with the pre-defined user credentials?
- Lastly, I noticed that under the Google API Manager > Domain Verification, there are no records. Instead, there is a prompt to "Add domain" because "You need to verify domain ownership to allow webhook notifications to be sent to your external domains. Google verifies that the user owns each of the listed domains via Search Console."
STARTED ALL OVER
— DELETED ALL CONSOLE PROJECTS, OAUTH USERS AND SERVICE ACCOUNTS VIA THE GOOGLE GUI
— UPDATED GAM TO 4.21
PCI1700280:~ jaddison$ gam create project
What is your G Suite admin email address? us...@ourdomain.edu
Go to the following link in your browser:
Enter verification code:
Please copy this code, switch to your application and paste it there:
4/EWz0loQL********************************ve_g5rqMgvM
Authentication successful.
Creating project "GAM Project"...
Checking project status...
enabling API admin.googleapis.com...
enabling API appsactivity.googleapis.com...
enabling API calendar-json.googleapis.com...
enabling API classroom.googleapis.com...
enabling API contacts.googleapis.com...
enabling API drive...
enabling API gmail.googleapis.com...
enabling API groupssettings.googleapis.com...
enabling API licensing.googleapis.com...
enabling API plus.googleapis.com...
enabling API reseller.googleapis.com...
enabling API siteverification.googleapis.com...
Creating Service Account
Please go to:
https://console.developers.google.com/apis/credentials?project=gam-project-um7-at1-k54
1. Click the blue "Create credentials" button. Choose "OAuth client ID".
2. Click the blue "Configure consent screen" button. Enter "GAM" for "Product name to show to users".
3. Leave other fields blank. Click "Save" button.
3. Choose "Other" and click the blue "Create" button.
4. Copy your "client ID" value.
Enter your Client ID: <see below>
Now go back to your browser and copy your client secret.
Enter your Client Secret: <see below>
OAuth Client ID:
627114968371-cdmj1***********************r.apps.googleusercontent.com
OAuth Client Secret:
Q9A**************-ryckEpH5
Almost there! Now please switch back to your browser and:
1. Click OK to close "OAuth client" popup if it's still open.
2. Click "Manage service accounts" on the right of the screen.
3. Click the 3 dots to the right of your service account.
4. Choose Edit.
5. Check the "Enable G Suite Domain-wide Delegation" box and click Save.
Press Enter when done...
That's it! Your GAM Project is created and ready to use.
PCI1700280:~ jaddison$ gam user jaddison.edu check serviceaccount
User: jaddis...@school.edu
Scope: https://mail.google.com/ FAIL
Scope: https://www.googleapis.com/auth/activity FAIL
Scope: https://www.googleapis.com/auth/calendar FAIL
Scope: https://www.googleapis.com/auth/drive FAIL
Scope: https://www.googleapis.com/auth/gmail.settings.basic FAIL
Scope: https://www.googleapis.com/auth/gmail.settings.sharing FAIL
Scope: https://www.googleapis.com/auth/plus.me FAIL
ERROR: Some scopes failed! Please go to:
https://admin.google.com/school.edu/AdminHome?#OGX:ManageOauthClients
and grant Client name:
112188***********27977827
Access to scopes:
https://www.googleapis.com/auth/activity,
https://www.googleapis.com/auth/calendar,
https://www.googleapis.com/auth/drive,
https://www.googleapis.com/auth/gmail.settings.basic,
https://www.googleapis.com/auth/gmail.settings.sharing,
https://www.googleapis.com/auth/plus.me
Attempting to authorize the above “Client name” in the CPanel>Security>Manage API client access screen did not seem to have any effect, although the page did display a “Your settings have been saved. message when I hit the “Authorize’ button. However, no client with that name ever displayed as having access to any scopes.
Therefore, I tried the client ID for the GAM Project “Service account client” that was created via the process above. Still, no joy - google said the account had not been ‘verified’ in Google (or for our domain?)
Then I tried with the client ID for the secondary, “other” OAuth client that was created, subsequent to the service account creation. That client ID worked and I was able to authorize it for all the scopes. Still, after adding that, I got the same results. See below…
PCI1700280:~ jaddison$ gam user jaddison.edu check serviceaccount
User: jaddis...@school.edu
Scope: https://mail.google.com/ FAIL
Scope: https://www.googleapis.com/auth/activity FAIL
Scope: https://www.googleapis.com/auth/calendar FAIL
Scope: https://www.googleapis.com/auth/drive FAIL
Scope: https://www.googleapis.com/auth/gmail.settings.basic FAIL
Scope: https://www.googleapis.com/auth/gmail.settings.sharing FAIL
Scope: https://www.googleapis.com/auth/plus.me FAIL
ERROR: Some scopes failed! Please go to:
https://admin.google.com/school.edu/AdminHome?#OGX:ManageOauthClients
and grant Client name:
112188***********27977827
Access to scopes:
https://www.googleapis.com/auth/activity,
https://www.googleapis.com/auth/calendar,
https://www.googleapis.com/auth/drive,
https://www.googleapis.com/auth/gmail.settings.basic,
https://www.googleapis.com/auth/gmail.settings.sharing,
https://www.googleapis.com/auth/plus.me
Searching through the API Manager in console.developers.google.com, I don’t see any client name that matches the “name” (number) shown above. Could it be pulling an old client ID?
UGGHHHHH!!!!!!
Now, when I go to “GAM Project” and click Credentials, I get the following error:
Error
Failed to load service accounts.
Tracking Number: c603787150
Send feedback
And after I clear that error pop-up, the service account is not listed and clicking on the “other” OAuth account results in a “Failed to load” error.
I’m wondering if that is because I trashed all the former projects, some of which were titled the same as the one I was working in, “GAM Project”, which is the default project name when creating a project from within GAM.
I don’t understand why the “other” OAuth user is created.
Schemetric
PCI1700280:~ jaddison$ gam info domain
ERROR: Authentication Token Error - deleted_client: The OAuth client was deleted
Schemetric
Bachittar Singh
There are 2 steps to this
Yoyo Wallet Limited, is a company incorporated in England and Wales, company registration number 08515940. Its registered office is at 78 Whitfield Street, London, W1T 4EZ. Yoyo Wallet Limited is authorised by the Financial Conduct Authority under the Electronic Money Regulations 2011 (Firm Ref. No. 900645) for the issuing of electronic money. This email is confidential. If you are not the recipient please do not copy, use or disclose its contents and delete it from your computer.