I've created a service account and given it's client ID the scope https://www.googleapis.com/auth/admin.directory.group When I run the following code, I get a 403 error: Insuffient Permission.
<?php
// Requires >= PHP 5.4
require_once(__DIR__ . '/vendor/autoload.php');
date_default_timezone_set('America/Chicago');
$settings = [
'creds_path' => '/path/to/service_creds.json',
'group_email' => 'group@email.com',
'service_email' => 'service@email.com'
];
putenv("GOOGLE_APPLICATION_CREDENTIALS={$settings['creds_path']}");
$client = new Google_Client();
$client->useApplicationDefaultCredentials();
$client->addScope(Google_Service_Directory::ADMIN_DIRECTORY_GROUP);
// $client->setSubject('admin@email.com');
$service = new Google_Service_Groupssettings($client);
try {
print_r($service->groups->get($settings['group_email'], ['alt' => 'json']));
} catch(Google_Service_Exception $e) {
if($e->getCode() == 404) {
echo "Group {$settings['group_email']} not found.\n";
exit;
} elseif($e->getCode() == 403) {
echo "Insufficient Permissions.\n";
exit;
} else {
throw $e;
}
}
I read somewhere that the service account has to impersonate someone who has access to the admin sdk, so that's what the commented out line tried, but it didn't work.
Does anyone know what's wrong?
The code that's being required is from https://github.com/google/google-api-php-client
It ended up being that I was using the wrong class. I switched Google_Service_Groupssettings to Google_Service_Directory and un-commented the setSubject call and now it works.