gam info domain 403 Forbidden
5 views
Skip to first unread message
Duncan Isaksen-Loxton
May 12, 2026, 12:14:21 PM (6 days ago) May 12
to GAM for Google Workspace
Hi All,
Setting up a new team member today and I'm running into something odd. We are partners, not unfamiliar with GAM, and build APIs all the time.
We are doing 'gam oauth create' and enabled the reseller API, as well as the directory API but runinng gam info domain (debug output beow) still thinks that oauth doesnt contain the scope. check serviceaccount is working too:
The user clientid is allowed in our Google Workspace, and the user has permission to the partner console.
Why is the 403 forbidden happening? I feel like I'm missing something small but obvious. Any help greatly appreciated.
gam user xxxxxx check serviceaccount
System time status
Your system time differs from admin.googleapis.com by less than 1 second PASS
Service Account Private Key Authentication
Authentication PASS
Service Account Private Key age; Google recommends rotating keys on a routine basis
Service Account Private Key age: 0 days PASS
Domain-wide Delegation authentication:, User: xxxxxxxx, Scopes: 42
https://mail.google.com/ PASS (1/42)
https://www.googleapis.com/auth/analytics.readonly PASS (2/42)
https://www.googleapis.com/auth/apps.alerts PASS (3/42)
https://www.googleapis.com/auth/calendar PASS (4/42)
https://www.googleapis.com/auth/chat.admin.delete PASS (5/42)
https://www.googleapis.com/auth/chat.admin.memberships PASS (6/42)
https://www.googleapis.com/auth/chat.admin.spaces PASS (7/42)
https://www.googleapis.com/auth/chat.customemojis PASS (8/42)
https://www.googleapis.com/auth/chat.delete PASS (9/42)
https://www.googleapis.com/auth/chat.memberships PASS (10/42)
https://www.googleapis.com/auth/chat.messages PASS (11/42)
https://www.googleapis.com/auth/chat.spaces PASS (12/42)
https://www.googleapis.com/auth/classroom.announcements PASS (13/42)
https://www.googleapis.com/auth/classroom.coursework.students PASS (14/42)
https://www.googleapis.com/auth/classroom.courseworkmaterials PASS (15/42)
https://www.googleapis.com/auth/classroom.profile.emails PASS (16/42)
https://www.googleapis.com/auth/classroom.profile.photos PASS (17/42)
https://www.googleapis.com/auth/classroom.rosters PASS (18/42)
https://www.googleapis.com/auth/classroom.topics PASS (19/42)
https://www.googleapis.com/auth/cloud-identity.devices PASS (20/42)
https://www.googleapis.com/auth/contacts PASS (21/42)
https://www.googleapis.com/auth/contacts.other.readonly PASS (22/42)
https://www.googleapis.com/auth/datastudio PASS (23/42)
https://www.googleapis.com/auth/directory.readonly PASS (24/42)
https://www.googleapis.com/auth/documents PASS (25/42)
https://www.googleapis.com/auth/drive PASS (26/42)
https://www.googleapis.com/auth/drive.activity PASS (27/42)
https://www.googleapis.com/auth/drive.admin.labels PASS (28/42)
https://www.googleapis.com/auth/drive.labels PASS (29/42)
https://www.googleapis.com/auth/drive.readonly PASS (30/42)
https://www.googleapis.com/auth/forms.body PASS (31/42)
https://www.googleapis.com/auth/forms.responses.readonly PASS (32/42)
https://www.googleapis.com/auth/gmail.modify PASS (33/42)
https://www.googleapis.com/auth/gmail.settings.basic PASS (34/42)
https://www.googleapis.com/auth/gmail.settings.sharing PASS (35/42)
https://www.googleapis.com/auth/keep PASS (36/42)
https://www.googleapis.com/auth/meetings.space.created PASS (37/42)
https://www.googleapis.com/auth/meetings.space.readonly PASS (38/42)
https://www.googleapis.com/auth/meetings.space.settings PASS (39/42)
https://www.googleapis.com/auth/spreadsheets PASS (40/42)
https://www.googleapis.com/auth/tasks PASS (41/42)
https://www.googleapis.com/auth/userinfo.profile PASS (42/42)
Deprecated scopes that GAM should NEVER have DwD access to:, User: xxxxxx, Scopes: 3
https://www.googleapis.com/auth/cloud-identity PASS (1/3)
https://www.googleapis.com/auth/cloud-platform PASS (2/3)
https://www.googleapis.com/auth/iam PASS (3/3)
All scopes PASSED!
System time status
Your system time differs from admin.googleapis.com by less than 1 second PASS
Service Account Private Key Authentication
Authentication PASS
Service Account Private Key age; Google recommends rotating keys on a routine basis
Service Account Private Key age: 0 days PASS
Domain-wide Delegation authentication:, User: xxxxxxxx, Scopes: 42
https://mail.google.com/ PASS (1/42)
https://www.googleapis.com/auth/analytics.readonly PASS (2/42)
https://www.googleapis.com/auth/apps.alerts PASS (3/42)
https://www.googleapis.com/auth/calendar PASS (4/42)
https://www.googleapis.com/auth/chat.admin.delete PASS (5/42)
https://www.googleapis.com/auth/chat.admin.memberships PASS (6/42)
https://www.googleapis.com/auth/chat.admin.spaces PASS (7/42)
https://www.googleapis.com/auth/chat.customemojis PASS (8/42)
https://www.googleapis.com/auth/chat.delete PASS (9/42)
https://www.googleapis.com/auth/chat.memberships PASS (10/42)
https://www.googleapis.com/auth/chat.messages PASS (11/42)
https://www.googleapis.com/auth/chat.spaces PASS (12/42)
https://www.googleapis.com/auth/classroom.announcements PASS (13/42)
https://www.googleapis.com/auth/classroom.coursework.students PASS (14/42)
https://www.googleapis.com/auth/classroom.courseworkmaterials PASS (15/42)
https://www.googleapis.com/auth/classroom.profile.emails PASS (16/42)
https://www.googleapis.com/auth/classroom.profile.photos PASS (17/42)
https://www.googleapis.com/auth/classroom.rosters PASS (18/42)
https://www.googleapis.com/auth/classroom.topics PASS (19/42)
https://www.googleapis.com/auth/cloud-identity.devices PASS (20/42)
https://www.googleapis.com/auth/contacts PASS (21/42)
https://www.googleapis.com/auth/contacts.other.readonly PASS (22/42)
https://www.googleapis.com/auth/datastudio PASS (23/42)
https://www.googleapis.com/auth/directory.readonly PASS (24/42)
https://www.googleapis.com/auth/documents PASS (25/42)
https://www.googleapis.com/auth/drive PASS (26/42)
https://www.googleapis.com/auth/drive.activity PASS (27/42)
https://www.googleapis.com/auth/drive.admin.labels PASS (28/42)
https://www.googleapis.com/auth/drive.labels PASS (29/42)
https://www.googleapis.com/auth/drive.readonly PASS (30/42)
https://www.googleapis.com/auth/forms.body PASS (31/42)
https://www.googleapis.com/auth/forms.responses.readonly PASS (32/42)
https://www.googleapis.com/auth/gmail.modify PASS (33/42)
https://www.googleapis.com/auth/gmail.settings.basic PASS (34/42)
https://www.googleapis.com/auth/gmail.settings.sharing PASS (35/42)
https://www.googleapis.com/auth/keep PASS (36/42)
https://www.googleapis.com/auth/meetings.space.created PASS (37/42)
https://www.googleapis.com/auth/meetings.space.readonly PASS (38/42)
https://www.googleapis.com/auth/meetings.space.settings PASS (39/42)
https://www.googleapis.com/auth/spreadsheets PASS (40/42)
https://www.googleapis.com/auth/tasks PASS (41/42)
https://www.googleapis.com/auth/userinfo.profile PASS (42/42)
Deprecated scopes that GAM should NEVER have DwD access to:, User: xxxxxx, Scopes: 3
https://www.googleapis.com/auth/cloud-identity PASS (1/3)
https://www.googleapis.com/auth/cloud-platform PASS (2/3)
https://www.googleapis.com/auth/iam PASS (3/3)
All scopes PASSED!
gam config debug_level 10 redirect stderr stdout info domain
connect: (admin.googleapis.com, 443)
send: GET /$discovery/rest?version=directory_v1 HTTP/1.1
Host: admin.googleapis.com
content-length: 0
user-agent: GAM 7.43.04 - https://github.com/GAM-team/GAM / GAM Team <google-ap...@googlegroups.com> / Python 3.14.4 final / macOS-26.4.1-arm64-arm-64bit-Mach-O arm64 /
x-goog-api-client: cred-type/u
authorization: Bearer *****
accept-encoding: gzip, deflate
reply: 'HTTP/1.1 200 OK\r\n'
header: Content-Type: application/json; charset=UTF-8
header: Vary: Origin
header: Vary: X-Origin
header: Vary: Referer
header: Content-Encoding: gzip
header: Date: Tue, 12 May 2026 13:05:00 GMT
header: Server: ESF
header: X-XSS-Protection: 0
header: X-Frame-Options: SAMEORIGIN
header: X-Content-Type-Options: nosniff
header: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
header: Transfer-Encoding: chunked
send: GET /admin/directory/v1/customers/my_customer?prettyPrint=true&alt=json HTTP/1.1
Host: admin.googleapis.com
accept: application/json
accept-encoding: gzip, deflate
user-agent: GAM 7.43.04 - https://github.com/GAM-team/GAM / GAM Team <google-ap...@googlegroups.com> / Python 3.14.4 final / macOS-26.4.1-arm64-arm-64bit-Mach-O arm64 / (gzip)
x-goog-api-client: gdcl/2.195.0 gl-python/3.14.4 cred-type/u
content-length: 0
authorization: Bearer *****
reply: 'HTTP/1.1 403 Forbidden\r\n'
header: Vary: Origin
header: Vary: X-Origin
header: Vary: Referer
header: Content-Type: application/json; charset=UTF-8
header: Content-Encoding: gzip
header: Date: Tue, 12 May 2026 13:05:01 GMT
header: Server: ESF
header: X-XSS-Protection: 0
header: X-Frame-Options: SAMEORIGIN
header: X-Content-Type-Options: nosniff
header: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
header: Transfer-Encoding: chunked
ERROR: JSON: {'error': {'code': 403, 'message': 'Not Authorized to access this resource/api', 'errors': [{'message': 'Not Authorized to access this resource/api', 'domain': 'global', 'reason': 'forbidden'}]}}
ERROR: Not Authorized to access this resource/api
ERROR: Reauthentication is needed, please run
gam oauth create
connect: (admin.googleapis.com, 443)
send: GET /$discovery/rest?version=directory_v1 HTTP/1.1
Host: admin.googleapis.com
content-length: 0
user-agent: GAM 7.43.04 - https://github.com/GAM-team/GAM / GAM Team <google-ap...@googlegroups.com> / Python 3.14.4 final / macOS-26.4.1-arm64-arm-64bit-Mach-O arm64 /
x-goog-api-client: cred-type/u
authorization: Bearer *****
accept-encoding: gzip, deflate
reply: 'HTTP/1.1 200 OK\r\n'
header: Content-Type: application/json; charset=UTF-8
header: Vary: Origin
header: Vary: X-Origin
header: Vary: Referer
header: Content-Encoding: gzip
header: Date: Tue, 12 May 2026 13:05:00 GMT
header: Server: ESF
header: X-XSS-Protection: 0
header: X-Frame-Options: SAMEORIGIN
header: X-Content-Type-Options: nosniff
header: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
header: Transfer-Encoding: chunked
send: GET /admin/directory/v1/customers/my_customer?prettyPrint=true&alt=json HTTP/1.1
Host: admin.googleapis.com
accept: application/json
accept-encoding: gzip, deflate
user-agent: GAM 7.43.04 - https://github.com/GAM-team/GAM / GAM Team <google-ap...@googlegroups.com> / Python 3.14.4 final / macOS-26.4.1-arm64-arm-64bit-Mach-O arm64 / (gzip)
x-goog-api-client: gdcl/2.195.0 gl-python/3.14.4 cred-type/u
content-length: 0
authorization: Bearer *****
reply: 'HTTP/1.1 403 Forbidden\r\n'
header: Vary: Origin
header: Vary: X-Origin
header: Vary: Referer
header: Content-Type: application/json; charset=UTF-8
header: Content-Encoding: gzip
header: Date: Tue, 12 May 2026 13:05:01 GMT
header: Server: ESF
header: X-XSS-Protection: 0
header: X-Frame-Options: SAMEORIGIN
header: X-Content-Type-Options: nosniff
header: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
header: Transfer-Encoding: chunked
ERROR: JSON: {'error': {'code': 403, 'message': 'Not Authorized to access this resource/api', 'errors': [{'message': 'Not Authorized to access this resource/api', 'domain': 'global', 'reason': 'forbidden'}]}}
ERROR: Not Authorized to access this resource/api
ERROR: Reauthentication is needed, please run
gam oauth create
Reply all
Reply to author
Forward
0 new messages