Googlephpapi 使用服务帐户管理用户答案

【问题标题】：Googlephpapi managing users with service accountGooglephpapi 使用服务帐户管理用户
【发布时间】：2017-04-29 01:57:24
【问题描述】：

我已经按照这里的指示https://developers.google.com/api-client-library/php/auth/service-accounts

我已经在

的管理控制台中添加了我的服务帐户的客户端 ID 的范围

https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.user
https://www.googleapis.com/auth/admin.directory.customer
https://www.googleapis.com/auth/admin.directory.domain

以下是我要运行的代码

putenv('GOOGLE_APPLICATION_CREDENTIALS=JSONFILELOCATION');
$client = new Google_Client();
$client->useApplicationDefaultCredentials();
$client->setApplicationName("Directory");
$client->setScopes(array(
   Google_Service_Directory::ADMIN_DIRECTORY_CUSTOMER,
   Google_Service_Directory::ADMIN_DIRECTORY_USER
));
$client->setSubject("directory@directory-152416.iam.gserviceaccount.com");
//$client->setSubject(SUPERADMINEMAILADDRESS);

$service = new Google_Service_Directory($client);
 // Print the first 10 users in the domain.
$optParams = array(
   'domain'=>'MYDOMAIN',
   'maxResults' => 10,
   'orderBy' => 'email',
);
$results = $service->users->listUsers($optParams);

我得到的结果是未经授权的客户

Fatal error:  Uncaught exception 'Google_Service_Exception' with message '{
"error": "unauthorized_client",
"error_description": "Unauthorized client or scope in request."
}
' in /var/web/composer/googlephpapi/vendor/google/apiclient/src/Google/Http/REST.php:118
Stack trace:
#0 /var/web/composer/googlephpapi/vendor/google/apiclient/src/Google/Http/REST.php(94): Google_Http_REST::decodeHttpResponse(Object(GuzzleHttp\Psr7\Response), Object(GuzzleHttp\Psr7\Request), 'Google_Service_...')
#1 [internal function]: Google_Http_REST::doExecute(Object(GuzzleHttp\Client), Object(GuzzleHttp\Psr7\Request), 'Google_Service_...')
#2 /var/web/composer/googlephpapi/vendor/google/apiclient/src/Google/Task/Runner.php(181): call_user_func_array(Array, Array)
#3 /var/web/composer/googlephpapi/vendor/google/apiclient/src/Google/Http/REST.php(58): Google_Task_Runner->run()
#4 /var/web/composer/googlephpapi/vendor/google/apiclient/src/Google/Client.php(781): Google_Http_REST::execute(Object(GuzzleHttp\Client), Object(GuzzleHttp\Psr7\Request),  in /var/web/composer/googlephpapi/vendor/google/apiclient/src/Google/Http/REST.php on line 118

我正在尝试使用服务帐户电子邮件地址。但是我得到了权限错误。如果我使用超级管理员电子邮件地址，我会得到很好的结果。我是否缺少能够使用服务帐户的设置？我认为进行域范围的委派将允许我使用服务帐户来获得完全访问权限，而无需使用真实用户。

【问题讨论】：

由于服务帐户不是超级管理员，这就是您获得未经授权的client 的原因。您只能使用服务帐号模拟用户。因此，主题应始终是帐户的超级管理员。

标签： google-api-php-client google-api-client google-directory-api

【解决方案1】：

这是另一个可以尝试的示例。

   define('SCOPES', implode(' ', array( Google_Service_Directory::ADMIN_DIRECTORY_USER ) ));

   putenv('GOOGLE_APPLICATION_CREDENTIALS=' . $path_to_json_creds_file );

   $client = new Google_Client();
   $client->useApplicationDefaultCredentials();  // loads whats in that json service account file.
   $client->setScopes(SCOPES); // adds the scopes
   $client->setSubject($domainUserWithAdminRoles);  // An org account with special roles defined.

   $dir = new Google_Service_Directory($client);

   // get the account.
   $results = $dir->users->get($userKey);

   print_r($results);

【讨论】：