google-apigoogle-admin-sdkservice-accountsgoogle-reporting-api

401 Access denied. You are not authorized to read activity records

I'm trying to get data from Reports API.

I get access token for service account and using it in GET request. Response always

{
  "error": {
    "errors": [
      {
        "domain": "global",
        "reason": "authError",
        "message": "Access denied. You are not authorized to read activity records.",
        "locationType": "header",
        "location": "Authorization"
      }
    ],
    "code": 401,
    "message": "Access denied. You are not authorized to read activity records."
  }
}

I'm using Java for request. Without Google API library (client requirement). Source code is

String urlString = "https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/drive?maxResults=25";

        URL url = new URL(urlString);
        HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection();

        // optional default is GET
        urlConnection.setRequestMethod("GET");
        urlConnection.setDoInput(true);

        // Add request header.
        urlConnection.setRequestProperty("Authorization", "Bearer " + accessToken.getValue());

        int responseCode = urlConnection.getResponseCode();

        System.out.println("\nSending 'GET' request to URL : " + urlString);
        System.out.println("Response Code : " + responseCode);

        BufferedReader bufferedReader;

        if (responseCode == 200) {
            bufferedReader = new BufferedReader(
                    new InputStreamReader(urlConnection.getInputStream()));
        } else {
            bufferedReader = new BufferedReader(
                    new InputStreamReader(urlConnection.getErrorStream()));
        }

        String inputLine;
        StringBuffer stringBuffer = new StringBuffer();

        while ((inputLine = bufferedReader.readLine()) != null) {
            stringBuffer.append(inputLine);
        }

        bufferedReader.close();

        System.out.println(stringBuffer.toString());

Can you, please, help me what I'm missing?

Regards, Aleks.

Solution

  • "Access denied. You are not authorized to read activity records.",

    means just that the user you are authecated with does not have access to do what you are trying to do. To use a service account with this api you need to set up domain wide delegation

    In enterprise applications you may want to programmatically access a user's data without any manual authorization on their part. In G Suite domains, the domain administrator can grant third-party applications with domain-wide access to its users' data — this is referred as domain-wide delegation of authority. To delegate authority this way, domain administrators can use service accounts with OAuth 2.0.

    1. Go to your G Suite domain’s Admin console.
    2. Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls.
    3. Select Advanced settings from the list of options.
    4. Select Manage third party OAuth Client access in the Authentication section.
    5. In the Client name field enter the service account's Client ID.
    6. In the One or More API Scopes field enter the list of scopes that your application should be granted access to (see image below). For example if you need domain-wide access to activity reports enter: https://www.googleapis.com/auth/admin.reports.audit.readonly
    7. Click the Authorize button.