Service account configuration confusion
23 views
Skip to first unread message
Jon Parodi
Jul 28, 2017, 6:40:08 PM7/28/17
to gshell-discuss
I apologize for asking something probably already answered but I didn't see it.
I created a Service Account within the API console and have it set to have Domain Wide Delegation and downloaded the json file created with it.
Next I ran
set-gshellServiceAccount -ServiceAccountId [account ID] -CertificatePath [path to json] When I ran
get-GGmailForwardingAddress -userid me -all -targetuseremail [someOtherUser]
I get the following error
Error: "unathorized_client", Description:"Client is unauthorized to retrieve access tokens using this method.", "uri:""
Spencer Varney
Jul 28, 2017, 7:23:14 PM7/28/17
to Jon Parodi, gshell-discuss
Not at a computer right now, but is your project in the cloud developers console set up to allow access to the Gmail api?
--
You received this message because you are subscribed to the Google Groups "gshell-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gshell-discuss+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jon Parodi
Jul 28, 2017, 7:37:00 PM7/28/17
to gshell-discuss, jpa...@zymergen.com
To the best of my knowledge, it appears so. When I go to the Gmail API Dashboard it shows as being enabled.
To unsubscribe from this group and stop receiving emails from it, send an email to gshell-discus...@googlegroups.com.
Spencer Varney
Jul 28, 2017, 8:00:06 PM7/28/17
to Jon Parodi, gshell-discuss
Then it's likely conflicting Gmail scopes. My fridge is leaking ouddles of water all over, but I'll get back to you later tonight. If not, harass me until I remember.
To unsubscribe from this group and stop receiving emails from it, send an email to gshell-discuss+unsubscribe@googlegroups.com.
Jon Parodi
Jul 28, 2017, 8:02:58 PM7/28/17
to Spencer Varney, gshell-discuss
ahahaha priorities man - you're providing a wonderful product and making it open source. No rush on this - I am most likely doing something stupid and not implementing things correctly.
If I don't make any headway later next week I may poke you again though :)
Jon Parodi
System Administrator, Zymergen
Jon Parodi
Jul 28, 2017, 11:01:57 PM7/28/17
to gshell-discuss, squi...@gmail.com
It appears I was looking in the wrong spot for the scoping issues... I recreated a new service account with DWD and futzed with the scope in the admin>security> api access console.
I am confused because based off of the api references, that should be enough to get the job done and I would rather minimize the level of access the account has to only whats needed.
Oddly though now I am curious about the scoping needed to get the forwarding address.
This works just fine
But the following set of scopes fails:
Spencer Varney
Jul 29, 2017, 11:15:28 PM7/29/17
to Jon Parodi, gshell-discuss
Yeeeeeah, so the fridge is dead, have to call someone to come service it. So much water everywhere.
As far as Gmail scopes first recall that they can all be found in detail on this Google page and take note of the details they supply for each.
Take the following with a grain of salt, I haven't tested it thoroughly yet but it's what has stuck in my head. It may have been something else, I don't know. I've kinda just messed with scopes myself until it works... but like you said, I think you DO have to fully represent those scopes in the API access bit of the admin panel (I forgot about that!) if you haven't already. I can report back on what I have at work sometime this week, feel free to ping me if you'd like that.
In terms of what you have to allow from the gShell side, I have found that the https://mail.google.com/ scope also can cause some conflicting access issues if you include other scopes, but I honestly can't recall which. Also, I have found that the inclusion of some more restrictive scopes will override and prevent access of more open and permissive scopes. For instance, https://www.googleapis.com/auth/gmail.metadata will prevent you from seeing the message body even if you include https://mail.google.com/. Or something like that.
Best thing I can say is test them out and if you have the time, report back - If anyone is willing to write something comprehensive up we can definitely add it to the wiki somewhere to help others out in the future.
I hope that was at all coherant.
--
Jon Parodi
Jul 31, 2017, 8:50:26 PM7/31/17
to gshell-discuss, jpa...@zymergen.com
blech - that sounds no bueno. hopefully nothing terribly destructive happened
which is why I was confused. I did also test with each and every GMail scope and only found that just the one worked (but i was only doing one scope each)
I checked the scopes on that location prior to my last email:
https://www.googleapis.com/auth/gmail.settings.sharing | Manage sensitive mail settings, including forwarding rules and aliases. |
which is why I was confused. I did also test with each and every GMail scope and only found that just the one worked (but i was only doing one scope each)
It mostly works now in that I can pull forwarding rules from accounts for a full audit. I was hoping to set forwarding addresses as well but saw in the other thread that that function is currently not working correctly
Reply all
Reply to author
Forward
0 new messages