"Not Authorized to access this resource/api" when Creating Groups
972 views
Skip to first unread message
Luis Giraldo
Jan 8, 2022, 6:23:32 AM1/8/22
to GAM for Google Workspace
Hi everyone!
I have a fresh installation of GAMADV in Google Cloud Shell. I've used GAM or GAMADV in various shapes for years but had never needed to interact with groups before, until now. I'm seeing this error when trying to create groups from a CSV list using GAMADV:
Command:
gam csv file.csv gam create group ~email
Error:
Group: grou...@domain.com, Create Failed: Not Authorized to access this resource/api
I can successfully do other tasks, like create users, update users, delete users, etc., but I cannot create groups. I can read and print groups, but not create them.
Things I've tried:
- gam oauth delete && gam oauth create (no change)
- uninstall and re-install GAMADV and the Cloud project (no change)
- Confirmed APIs are all enabled
- Adding additional scopes manually to the domain-wide delegation for the Client ID as listed in this post (no change)
- Checked service account (output below)
If anybody has any ideas, I'd welcome your comments!
Cheers,
Luis
$ gam user us...@domain.com check serviceaccount
System time status
Your system time differs from admin.googleapis.com by less than 1 second PASS
Service Account Private Key Authentication
Authentication PASS
Service Account Private Key age; Google recommends rotating keys on a routine basis
Service Account Private Key age: 0 days PASS
Domain-Wide Delegation authentication:, User: us...@domain.com, Scopes: 26
https://mail.google.com/ PASS (1/26)
https://sites.google.com/feeds PASS (2/26)
https://www.google.com/m8/feeds PASS (3/26)
https://www.googleapis.com/auth/apps.alerts PASS (4/26)
https://www.googleapis.com/auth/calendar PASS (5/26)
https://www.googleapis.com/auth/classroom.announcements PASS (6/26)
https://www.googleapis.com/auth/classroom.coursework.students PASS (7/26)
https://www.googleapis.com/auth/classroom.courseworkmaterials PASS (8/26)
https://www.googleapis.com/auth/classroom.profile.emails PASS (9/26)
https://www.googleapis.com/auth/classroom.rosters PASS (10/26)
https://www.googleapis.com/auth/classroom.topics PASS (11/26)
https://www.googleapis.com/auth/cloud-identity PASS (12/26)
https://www.googleapis.com/auth/cloud-platform PASS (13/26)
https://www.googleapis.com/auth/contacts PASS (14/26)
https://www.googleapis.com/auth/contacts.other.readonly PASS (15/26)
https://www.googleapis.com/auth/datastudio PASS (16/26)
https://www.googleapis.com/auth/directory.readonly PASS (17/26)
https://www.googleapis.com/auth/documents PASS (18/26)
https://www.googleapis.com/auth/drive PASS (19/26)
https://www.googleapis.com/auth/drive.activity PASS (20/26)
https://www.googleapis.com/auth/gmail.modify PASS (21/26)
https://www.googleapis.com/auth/gmail.settings.basic PASS (22/26)
https://www.googleapis.com/auth/gmail.settings.sharing PASS (23/26)
https://www.googleapis.com/auth/keep PASS (24/26)
https://www.googleapis.com/auth/spreadsheets PASS (25/26)
https://www.googleapis.com/auth/userinfo.profile PASS (26/26)
All scopes PASSED!
Service Account Client name: XXXXX is fully authorized.
System time status
Your system time differs from admin.googleapis.com by less than 1 second PASS
Service Account Private Key Authentication
Authentication PASS
Service Account Private Key age; Google recommends rotating keys on a routine basis
Service Account Private Key age: 0 days PASS
Domain-Wide Delegation authentication:, User: us...@domain.com, Scopes: 26
https://mail.google.com/ PASS (1/26)
https://sites.google.com/feeds PASS (2/26)
https://www.google.com/m8/feeds PASS (3/26)
https://www.googleapis.com/auth/apps.alerts PASS (4/26)
https://www.googleapis.com/auth/calendar PASS (5/26)
https://www.googleapis.com/auth/classroom.announcements PASS (6/26)
https://www.googleapis.com/auth/classroom.coursework.students PASS (7/26)
https://www.googleapis.com/auth/classroom.courseworkmaterials PASS (8/26)
https://www.googleapis.com/auth/classroom.profile.emails PASS (9/26)
https://www.googleapis.com/auth/classroom.rosters PASS (10/26)
https://www.googleapis.com/auth/classroom.topics PASS (11/26)
https://www.googleapis.com/auth/cloud-identity PASS (12/26)
https://www.googleapis.com/auth/cloud-platform PASS (13/26)
https://www.googleapis.com/auth/contacts PASS (14/26)
https://www.googleapis.com/auth/contacts.other.readonly PASS (15/26)
https://www.googleapis.com/auth/datastudio PASS (16/26)
https://www.googleapis.com/auth/directory.readonly PASS (17/26)
https://www.googleapis.com/auth/documents PASS (18/26)
https://www.googleapis.com/auth/drive PASS (19/26)
https://www.googleapis.com/auth/drive.activity PASS (20/26)
https://www.googleapis.com/auth/gmail.modify PASS (21/26)
https://www.googleapis.com/auth/gmail.settings.basic PASS (22/26)
https://www.googleapis.com/auth/gmail.settings.sharing PASS (23/26)
https://www.googleapis.com/auth/keep PASS (24/26)
https://www.googleapis.com/auth/spreadsheets PASS (25/26)
https://www.googleapis.com/auth/userinfo.profile PASS (26/26)
All scopes PASSED!
Service Account Client name: XXXXX is fully authorized.
Kim Nilsson
Jan 8, 2022, 7:58:40 AM1/8/22
to GAM for Google Workspace
gam update project
Just to see that gam is also happy with all the APIs.
Luis Giraldo
Jan 8, 2022, 2:23:30 PM1/8/22
to GAM for Google Workspace
Output of "gam update project":
APIs all seem to be enabled:
Project: gam-project-Xxxxx, Check 29 APIs
API: admin.googleapis.com, Already enabled (1/29)
API: alertcenter.googleapis.com, Already enabled (2/29)
API: calendar-json.googleapis.com, Already enabled (3/29)
API: chat.googleapis.com, Already enabled (4/29)
API: chromemanagement.googleapis.com, Already enabled (5/29)
API: chromepolicy.googleapis.com, Already enabled (6/29)
API: classroom.googleapis.com, Already enabled (7/29)
API: cloudidentity.googleapis.com, Already enabled (8/29)
API: cloudresourcemanager.googleapis.com, Already enabled (9/29)
API: contacts.googleapis.com, Already enabled (10/29)
API: datastudio.googleapis.com, Already enabled (11/29)
API: docs.googleapis.com, Already enabled (12/29)
API: drive.googleapis.com, Already enabled (13/29)
API: driveactivity.googleapis.com, Already enabled (14/29)
API: gmail.googleapis.com, Already enabled (15/29)
API: groupsmigration.googleapis.com, Already enabled (16/29)
API: groupssettings.googleapis.com, Already enabled (17/29)
API: iam.googleapis.com, Already enabled (18/29)
API: iamcredentials.googleapis.com, Already enabled (non-GAM which is fine) (19/29)
API: iap.googleapis.com, Already enabled (20/29)
API: keep.googleapis.com, Already enabled (21/29)
API: licensing.googleapis.com, Already enabled (22/29)
API: people.googleapis.com, Already enabled (23/29)
API: pubsub.googleapis.com, Already enabled (24/29)
API: reseller.googleapis.com, Already enabled (25/29)
API: sheets.googleapis.com, Already enabled (26/29)
API: siteverification.googleapis.com, Already enabled (27/29)
API: storage-api.googleapis.com, Already enabled (28/29)
API: vault.googleapis.com, Already enabled (29/29)
API: admin.googleapis.com, Already enabled (1/29)
API: alertcenter.googleapis.com, Already enabled (2/29)
API: calendar-json.googleapis.com, Already enabled (3/29)
API: chat.googleapis.com, Already enabled (4/29)
API: chromemanagement.googleapis.com, Already enabled (5/29)
API: chromepolicy.googleapis.com, Already enabled (6/29)
API: classroom.googleapis.com, Already enabled (7/29)
API: cloudidentity.googleapis.com, Already enabled (8/29)
API: cloudresourcemanager.googleapis.com, Already enabled (9/29)
API: contacts.googleapis.com, Already enabled (10/29)
API: datastudio.googleapis.com, Already enabled (11/29)
API: docs.googleapis.com, Already enabled (12/29)
API: drive.googleapis.com, Already enabled (13/29)
API: driveactivity.googleapis.com, Already enabled (14/29)
API: gmail.googleapis.com, Already enabled (15/29)
API: groupsmigration.googleapis.com, Already enabled (16/29)
API: groupssettings.googleapis.com, Already enabled (17/29)
API: iam.googleapis.com, Already enabled (18/29)
API: iamcredentials.googleapis.com, Already enabled (non-GAM which is fine) (19/29)
API: iap.googleapis.com, Already enabled (20/29)
API: keep.googleapis.com, Already enabled (21/29)
API: licensing.googleapis.com, Already enabled (22/29)
API: people.googleapis.com, Already enabled (23/29)
API: pubsub.googleapis.com, Already enabled (24/29)
API: reseller.googleapis.com, Already enabled (25/29)
API: sheets.googleapis.com, Already enabled (26/29)
API: siteverification.googleapis.com, Already enabled (27/29)
API: storage-api.googleapis.com, Already enabled (28/29)
API: vault.googleapis.com, Already enabled (29/29)
Ross Scroggs
Jan 8, 2022, 2:26:57 PM1/8/22
to google-ap...@googlegroups.com
--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/fce3377a-196f-4d30-8fc5-cc9308ce0234n%40googlegroups.com.
Luis Giraldo
Jan 8, 2022, 2:34:22 PM1/8/22
to GAM for Google Workspace
Thanks, Ross - emailed you a Zoom invite directly.
Cheers,
Luis
Luis Giraldo
Jan 8, 2022, 2:55:31 PM1/8/22
to GAM for Google Workspace
Many thanks to Ross for solving one of the most difficult problems to solve in this industry: PEBCAK 🤣 The CSV file had group addresses in the source domain (not the destination domain where we're working), so they couldn't be created. The API/resource error led me into a different rabbit hole. Cheers, Ross!
Regards,
Luis
Reply all
Reply to author
Forward
0 new messages