gam whatis - V6.01, unauthorized client

[Jim Karlin]

This is a race between the GAM admin community and Google Support - may the odds be ever in your favor :D

I'm trying to undelete a user that has 3 days left to recover, GUI fails without even a red bar, no error.  Gam undelete returns already exists, duplicate.  When I run a whatis on the address with or without the domain, I get unauthorized client.

I ran gam oauth revoke and started over, no change.  Any thoughts where the conflict can be from?  I also checked the transfer tool for unmanaged users in the GUI, but didn't find the account.

gam whatis REDACTED EMAIL

REDACTED EMAIL is not a user...

REDACTED EMAIL is not a user alias...

REDACTED EMAIL is not a group...

REDACTED EMAIL is not a proup alias...

ERROR: User  REDACTED EMAIL  : unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.

Traceback (most recent call last):

  File "gam\__main__.py", line 50, in <module>

  File "gam\__main__.py", line 45, in main

  File "gam\__init__.py", line 11647, in ProcessGAMCommand

  File "gam\__init__.py", line 8417, in doWhatIs

  File "gam\gapi\cloudidentity\userinvitations.py", line 32, in is_invitable_user

AttributeError: 'NoneType' object has no attribute 'customers'

[3012] Failed to execute script __main__

[Jim Karlin]

Thanks Ross for reaching out right away to look at this, looks like it might be a job for Google Support after all.  I REALLY appreciate you helping me get my service account up to date, I definitely needed it since I've ignored it for years.  Ha!

The account I'm working with does appear to be in some sort of limbo, but here are some things Ross and I did to refresh things that have gone from version to version

gam check serviceaccount - let it run the checks, and use the shortened URL to re-authenticate

gam update project - pretty much the same as above

I think what really helped was pulling down a fresh version of my client_secrets.json from the developer console.  The one I had has been in place since 2017, so it's probably a miracle it still worked.

I'll make sure to report back when I hear from Support on what happened to this account.  It's an extremely goofy situation, but I'm sure something funny will come out of it.

[Jim Karlin]

Root cause of this issue was conflicting account - it didn't show up in the migration tool, and Ross and I checked for invited users.  According to support, the conflicting account was created shortly after the deletion.

We just had to create a user manually with the address of the account we needed back, rename (could have deleted actually come to think of it), then restore the deleted account.