Persistent "No Client Access Allowed" on GCE VM despite exhaustive setup checks (GAM 7.09.03, Debian 12, Service Account)

[Vini Bettega]

Persistent "No Client Access Allowed" on GCE VM despite exhaustive setup checks (GAM 7.09.03, Debian 12, Service Account)

Hello GAM Community,

I'm trying to set up GAMADV-XTD3 (v7.09.03) on a fresh Google Compute Engine (GCE) VM running Debian 12 (Bookworm). I'm using a service account for authentication as per the secure GCE setup guide.

I am consistently encountering the following error with any GAM command (e.g., gam info domain):

WARNING: Config File: /home/youruser/.gam/gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value:, Not Found ERROR: No Client Access allowed

What makes this particularly puzzling is that:

1. The oauth2_txt warning persists even though oauth2_txt = '' is explicitly set to empty in ~/.gam/gam.cfg. This value was confirmed via cat ~/.gam/gam.cfg.
2. Verbose logging (debug_level 4) produces no additional output, suggesting GAM fails at an extremely early stage of execution, before its logging system initializes.

Here's a summary of what I've confirmed and double-checked (multiple times, including full clean reinstall attempts):

VM & GAM Installation:

• GAM Version: 7.09.03 (pyinstaller)
• OS: Debian 12 (Bookworm) x86_64
• Installation Method: bash <(curl -s -S -L https://git.io/gam-install) -l (local install, skipping OAuth).
• ~/.gam/gam.cfg:
  • oauth2_txt = '' (confirmed empty)
  • oauth2service_json = /home/youruser/.gam/oauth2service.json (correct path)
  • service_account_delegation_email = your-adm...@your-domain.com (valid super admin email)
  • no_browser = true
  • domain = your-domain.com
  • user_service_account_access_only = true
• ~/.gam/oauth2service.json: Exists, contains correct client_email (your-servi...@your-gcp-project.iam.gserviceaccount.com), client_id (your-service-account-client-id), project_id (your-gcp-project-id), etc.
• File Permissions: All ~/.gam/ files/dirs have correct user ownership and read/write permissions.

GCP Configuration (Confirmed OK):

• VM Attached Service Account: your-servi...@your-gcp-project.iam.gserviceaccount.com is correctly attached to the GCE VM.
• VM Access Scopes: Set to Cloud Platform: Enabled.
• Service Account IAM Roles (in GCP):
  • Service Account Token Creator
  • Service Account User
  • Both roles are assigned to your-servi...@your-gcp-project.iam.gserviceaccount.com within your-gcp-project-id.
• Google Workspace APIs (Enabled in GCP project): gam enable apis completed successfully, enabling all necessary APIs.
• Firewall Rules: Outbound HTTPS (TCP 443) is allowed (curl -v https://www.google.com connects successfully).
• System Time: VM's system time is in sync with UTC.

Google Workspace Domain-Wide Delegation (DWD):

• Client ID (your-service-account-client-id) is added in admin.google.com > Security > Access and data control > API controls > Domain-wide delegation.
• Crucially, this DWD setup (same service account, same scopes) is an exact copy of a working GAM setup I have for another Google Workspace domain.

Given that all standard troubleshooting steps have been exhausted, and the error persists with no debug output, I'm at a loss. Any insights or suggestions from the community would be greatly appreciated.

Thank you!

Vini Bettega

[Ross Scroggs]

Have you set these variables in gam.cfg?

gam config enable_dasa true admin_email ad...@domain.com customer_id <Customer ID> domain domain.com save

Ross

----

Ross Scroggs

Ross.S...@gmail.com

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/e9c22e19-e5b9-4777-88c5-747c75f211abn%40googlegroups.com.

[Vini Bettega]

HI Ross

Yes, I replaced here in the message just in case...

But yes all accounts are in gam.cfg 

Just one question about your comment, I didn't change the "enable_dasa" which is set to false on my gam.cfg, should I change it?

[Vini Bettega]

Hi Ross

I did a research and found out what DASA config does and tried with this method.

I attempted to configure GAM (v7.09.03) on my GCE VM (Debian 12) using the DASA (Domain-wide Authorization for Service Accounts) method, hoping to resolve the persistent ERROR: No Client Access allowed I've been facing with my service account and Domain-Wide Delegation (DWD).

Here's what was done for the DASA attempt:

1. gam.cfg was updated for DASA:

   • enable_dasa = true
   • customer_id = <my_actual_google_workspace_customer_id> (replaced my_customer with the real ID, e.g., C0xxxxxxxx)
   • admin_email = your-adm...@your-domain.com (populated this field)
   • service_account_delegation_email was commented out (as DASA replaces this).
   • oauth2service_json = /home/youruser/.gam/oauth2service.json remained.

2. Initially, gam info domain produced "Not Compatible" errors:

   • ERROR: Config File: ... customer_id: my_customer, enable_dasa: True, Not Compatible
   • ERROR: Config File: ... admin_email: "", enable_dasa: True, Not Compatible (These were resolved by correctly setting the customer_id and admin_email in gam.cfg).

3. Attempted to grant required IAM roles for DASA:

   • For the service account (your-servi...@your-gcp-project.iam.gserviceaccount.com), I tried to add the "Cloud Identity Administrator" role, but it was not available in the GCP Console's role dropdown search (tried searching for "Cloud Identity" and "Identity").
   • As a debugging step, and only temporarily, I then granted the service account the Project > Owner role.

4. After granting "Owner" role, the error shifted back to 403 Forbidden: Running gam info domain with debug_level 4 (after setting enable_dasa = true and the "Owner" role) produced the following, very detailed 403 Forbidden error from the Admin API:

   connect: (admin.googleapis.com, 443) send: b'GET /admin/directory/v1/customers/C0xxxxxxxx?prettyPrint=true&alt=json HTTP/1.1\r\n...' reply: 'HTTP/1.1 403 Forbidden\r\n' ERROR: JSON: {'error': {'code': 403, 'message': 'Not Authorized to access this resource/api', 'errors': [{'message': 'Not Authorized to access this resource/api', 'domain': 'global', 'reason': 'forbidden'}]}} ERROR: Customer ID: C0xxxxxxxx, Show Info Failed: Not Authorized to access this resource/api

   (Note: The oauth2_txt warning was still present even with this DASA attempt.)

Conclusion of DASA Attempt: The DASA method was not successfully configured, either due to the unavailability of necessary IAM roles or underlying permission issues that even the "Owner" role couldn't overcome in this context. The core problem of being "Not Authorized to access this resource/api" from the Google Workspace Admin API persists.

I have since reverted gam.cfg back to the traditional DWD configuration (i.e., enable_dasa = false, admin_email = '', service_account_delegation_email uncommented, customer_id = my_customer).

The problem remains. Any further insights on why this 403 Forbidden persists, especially with a DWD setup confirmed to be an exact copy of a working one, would be extremely valuable.

My last chance would be delete the DWD scopes and re-create it, as I mentioned before I copied all the scopes from another working GAM domain. Can someone point me somewhere I can get a DWD scope list and double check if I made a typo?