gam create project: Missing required parameter: refresh_token

[Tim Pelling]

Hi Folks,

Hoping someone can help me as a search of this group and google hasn't as yet ...

I cannot create a GAM project for a particular GSuite tenancy.

After Allow 'GAM Project Creation' to 'access my Google Account' in the initial steps of 'gam create project', the 'authentication flow has completed' but I get this error message;

ERROR: Authentication Token Error - ('invalid_request: Missing required parameter: refresh_token', {'error': 'invalid_request', 'error_description': 'Missing required parameter: refresh_token'})

I am using the current version of GAM, but have also tried a slightly older version.  I am able to successfully create a project connecting me to another GSuite tenancy - so I'm assuming the problem is specific to configuration in the problem tenant, but can't work out what.

Any help/advice would be appreciated, unfortunately I'm pretty much a GAM newbie ...

Regards, Tim

[Ross Scroggs]

Tim,

Verify the following steps:

* See https://support.google.com/a/answer/9197205?hl=en

* Access the admin console and go to Apps -> Additional Google Services

* Look for the service "Google Cloud Platform"

* Verify that it is on for the OU containing for the super admin you'll be using

Verify that all scopes are available:

* Access the admin console and go to Apps -> Additional Google Services

* If this line is present: `Access to additional services without individual control for all organizational units is turned Off`

* Click "CHANGE"

* Select "ON for everyone"

* Click "SAVE"

* Access the admin console and go to Security -> API Controls

* Check "Trust internal, domain-owned apps"

* Click "SAVE"

Ross

--

ross.s...@gmail.com

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/720ad3e9-f667-464e-8f53-51cef23896a4n%40googlegroups.com.

[Tim Pelling]

Hi Ross,

Thanks for your help - but that hasn't resolved the issue;

User is a Super Admin in Super Admins OU
Apps -> Additional Google Services -> Google Cloud Platform
    is 'On for some', ON at the root level and overridden as ON @ Super Admins OU
    'Allow users to create projects' is ON at root level and inheritted @ Super Admins OU
    'OS Login API Settings' mentioned in the linked article are all ON
    'Allow access to cloud shell' is ON
Access to additional services without individual control for all organisational units is turned ON
Security -> Access and data control -> API controls -> 'Trust internal, domain owned apps' is Checked

After failed 'gam create project' attempts I see 'GAM Project Creation' is connected to the user

But 'gam create project' still fails with the same missing refresh_token error.

Regards, Tim

[Jonathan Ransom-Flint]

If you want the fix for this, most likely your admin account being used as the serviceaccount for GAM is *not* "over 18".  Google Cloud requires users to be 18 or older.  May sure to flag the OU this admin account is in as being 18.  This is in the admin console under account -> account settings -> age-based settings.

[ddt-wiki]

thank you for this tip. this fixed the issue for me