API access Denied - Scopes not updating

[Colin O'Leary]

Im trying to run the following command to update who can view members in a group:

gam csv gsheet viewgroupmembers gam update group ~email whoCanViewGroup ALL_MANAGERS_CAN_VIEW

It gives me this error:

ERROR: Authentication Token Error - invalid_request: Invalid impersonation "sub" field: viewgroupmembers@

ERROR: API access Denied
Please make sure the Service Account Client name: XXXXXXXXXXXXXXXXXXXXXXXX is authorized for the appropriate API or scopes:
Drive API v3

Run: gam user viewgroupmembers@ check serviceaccount

When I run that command as outlined above it fails and tells me what to do:

gam user viewgroupmembers@ check serviceaccount
System time status
  Your system time differs from admin.googleapis.com by less than 1 second  PASS
Service Account Private Key Authentication
  Authentication                                                            PASS
Service Account Private Key age; Google recommends rotating keys on a routine basis
  Service Account Private Key age: 802 days                                 WARN
Domain-Wide Delegation authentication:, User: viewgrou...@domain.ie, Scopes: 26
  https://mail.google.com/                                                  FAIL (1/26)
  https://sites.google.com/feeds                                            FAIL (2/26)
  https://www.google.com/m8/feeds                                           FAIL (3/26)
  https://www.googleapis.com/auth/apps.alerts                               FAIL (4/26)
  https://www.googleapis.com/auth/calendar                                  FAIL (5/26)
  https://www.googleapis.com/auth/classroom.announcements                   FAIL (6/26)
  https://www.googleapis.com/auth/classroom.coursework.students             FAIL (7/26)
  https://www.googleapis.com/auth/classroom.courseworkmaterials             FAIL (8/26)
  https://www.googleapis.com/auth/classroom.profile.emails                  FAIL (9/26)
  https://www.googleapis.com/auth/classroom.rosters                         FAIL (10/26)
  https://www.googleapis.com/auth/classroom.topics                          FAIL (11/26)
  https://www.googleapis.com/auth/cloud-identity                            FAIL (12/26)
  https://www.googleapis.com/auth/cloud-platform                            FAIL (13/26)
  https://www.googleapis.com/auth/contacts                                  FAIL (14/26)
  https://www.googleapis.com/auth/contacts.other.readonly                   FAIL (15/26)
  https://www.googleapis.com/auth/datastudio                                FAIL (16/26)
  https://www.googleapis.com/auth/directory.readonly                        FAIL (17/26)
  https://www.googleapis.com/auth/documents                                 FAIL (18/26)
  https://www.googleapis.com/auth/drive                                     FAIL (19/26)
  https://www.googleapis.com/auth/drive.activity                            FAIL (20/26)
  https://www.googleapis.com/auth/gmail.modify                              FAIL (21/26)
  https://www.googleapis.com/auth/gmail.settings.basic                      FAIL (22/26)
  https://www.googleapis.com/auth/gmail.settings.sharing                    FAIL (23/26)
  https://www.googleapis.com/auth/keep                                      FAIL (24/26)
  https://www.googleapis.com/auth/spreadsheets                              FAIL (25/26)
  https://www.googleapis.com/auth/userinfo.profile                          FAIL (26/26)
Some scopes FAILED!
To authorize them, please go to the following link in your browser:

    https://admin.google.com/ac/owl/domainwidedelegation?clientScopeToAdd=https://mail.google.com/,https://sites.google.com/feeds,https://www.google.com/m8/feeds,https://www.googleapis.com/auth/apps.alerts,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/classroom.announcements,https://www.googleapis.com/auth/classroom.coursework.students,https://www.googleapis.com/auth/classroom.courseworkmaterials,https://www.googleapis.com/auth/classroom.profile.emails,https://www.googleapis.com/auth/classroom.rosters,https://www.googleapis.com/auth/classroom.topics,https://www.googleapis.com/auth/cloud-identity,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/contacts,https://www.googleapis.com/auth/contacts.other.readonly,https://www.googleapis.com/auth/datastudio,https://www.googleapis.com/auth/directory.readonly,https://www.googleapis.com/auth/documents,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/drive.activity,https://www.googleapis.com/auth/gmail.modify,https://www.googleapis.com/auth/gmail.settings.basic,https://www.googleapis.com/auth/gmail.settings.sharing,https://www.googleapis.com/auth/keep,https://www.googleapis.com/auth/spreadsheets,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/userinfo.email&clientIdToAdd=XXXXXXXXXXXXXXXXXXXXX&overwriteClientId=true&dn=domain.ie&authuser=user...@domain.ie

You will be directed to the Google Workspace admin console Security/API Controls/Domain-wide Delegation page
The "Add a new Client ID" box will open
Make sure that "Overwrite existing client ID" is checked
Click AUTHORIZE
When the box closes you're done
After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.


I do the above and it says The OAUTH Client ID XXXXXXXXXXXXXXXX is added with 27 scopes

But it does not work and keeps throwing back the same failures when I check them again - this is after waiting days in case it took a bit longer too update on the google side....


If I check service account it all passes :

bin/gamadv-xtd3$ gam user NAME check serviceaccount
System time status
  Your system time differs from admin.googleapis.com by less than 1 second  PASS
Service Account Private Key Authentication
  Authentication                                                            PASS
Service Account Private Key age; Google recommends rotating keys on a routine basis
  Service Account Private Key age: 802 days                                 WARN
Domain-Wide Delegation authentication:, User: us...@domain.ie, Scopes: 26
  https://mail.google.com/                                                  PASS (1/26)
  https://sites.google.com/feeds                                            PASS (2/26)
  https://www.google.com/m8/feeds                                           PASS (3/26)
  https://www.googleapis.com/auth/apps.alerts                               PASS (4/26)
  https://www.googleapis.com/auth/calendar                                  PASS (5/26)
  https://www.googleapis.com/auth/classroom.announcements                   PASS (6/26)
  https://www.googleapis.com/auth/classroom.coursework.students             PASS (7/26)
  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (8/26)
  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (9/26)
  https://www.googleapis.com/auth/classroom.rosters                         PASS (10/26)
  https://www.googleapis.com/auth/classroom.topics                          PASS (11/26)
  https://www.googleapis.com/auth/cloud-identity                            PASS (12/26)
  https://www.googleapis.com/auth/cloud-platform                            PASS (13/26)
  https://www.googleapis.com/auth/contacts                                  PASS (14/26)
  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (15/26)
  https://www.googleapis.com/auth/datastudio                                PASS (16/26)
  https://www.googleapis.com/auth/directory.readonly                        PASS (17/26)
  https://www.googleapis.com/auth/documents                                 PASS (18/26)
  https://www.googleapis.com/auth/drive                                     PASS (19/26)
  https://www.googleapis.com/auth/drive.activity                            PASS (20/26)
  https://www.googleapis.com/auth/gmail.modify                              PASS (21/26)
  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (22/26)
  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (23/26)
  https://www.googleapis.com/auth/keep                                      PASS (24/26)
  https://www.googleapis.com/auth/spreadsheets                              PASS (25/26)
  https://www.googleapis.com/auth/userinfo.profile                          PASS (26/26)
All scopes PASSED!

Service Account Client name: XXXXXXXXXXXXXXXXXXXXX is fully authorized.


Is there something wrong or am I missing something here ?

Gam version I have is below - I updated to this yesterday as was having same issue on an older version:

GAMADV-XTD3 6.21.00 - https://github.com/taers232c/GAMADV-XTD3 - pyinstaller
Ross Scroggs <ross.s...@gmail.com>
Python 3.10.4 64-bit final
Linux Ubuntu 18.04 Bionic Beaver x86_64

[Jaap Stoel]

Are you using two different clients with GAM?

I had A similar problem where my own ID was authorized but my coworker's ID wasn't. So I found his ID in the oauth2service.json file and gave him the required API access through the admin panel.

This is what it wound up looking like: 

Op dinsdag 26 april 2022 om 11:15:10 UTC+2 schreef Colin O'Leary:

[Colin O'Leary]

We do have a couple of more users with their own GAM ID's if thats what your mean ?

When I check my serviceaccount with my username as per below i'm assuming I should have all authorization allready ?

[Jaap Stoel]

Yeah that's what I ran into. Even though we all used the same project and same service account the ID's were different. So I had to authorize both users separately in Admin.

Disclaimer

[Colin O'Leary]

My bad  - I was using the sheetname as the username in the original command and hence checking on the wrong username - I only noticed it after reading back what you said and checking the command !

Thanks for the extra pair of eyes and the help .....