Problems authenticating Service Account for google reseller api using the nodejs library

I am trying to access the google reseller api using the nodejs library, which has very shi..., I mean spotty documentation. I tried following the example here, but I fail at step 3 with this error:

  code: 403,
  errors: [
    {
      domain: 'global',
      reason: 'insufficientPermissions',
      message: 'Authenticated user is not authorized to perform this action.'
    }
  ]

My configuration looks like this:

    const OAUTH2_SCOPES = [
      "https://www.googleapis.com/auth/admin.directory.user",
      "https://www.googleapis.com/auth/apps.order",
      "https://www.googleapis.com/auth/siteverification",
      "https://www.googleapis.com/auth/cloud-platform",
    ];

   const authJWT = new google.auth.JWT({
      keyFile: JSON_PRIVATE_KEY_FILE,
      scopes: OAUTH2_SCOPES,
      subject: RESELLER_ADMIN_USER,
      email: "gsuite-reseller@some-cool-name-because-why-not.iam.gserviceaccount.com",
    });

Using basic google fu, I found this thread, which suggested that my problem has to do with impersonation. So I exchanged the email in the subject property, with my account email, which has the owner rights specified. I also gave the service account owner rights, because at that point I am pretty clueless. This unfortunately only changed the error message to:

status: 401,
statusText: 'Unauthorized'

Does anybody have an idea what goes wrong? The 401 suggests that there are credentials missing. Would I have to also specify my private emails credentials in addition to the ones of the service account? If yes, then where? I did not find any property on the google.auth.JWT.options object which sounded promising.

Why do you need domain-wide delegation?

• When you use a service account and enable domain-wide delegation, it means that you allow the service account to impesonate the user and act on his behalf
• If you use a service account without impersonation - the service account can only perform operations to which it is autherized - e.g. it can access files on your Drive or access your Calendar - but only if you explicitly shared those with the service account!
• To perform requests for which the service account is not authorized, you need to make the service account impersonate a domain user that has the necessary authorization - that is you need to impersonate the user
• However to impersonate the user, you need to explicitly give the service account the permission to act on behalf of a user - this is called domain-wide delegation
• Enabling domain-wide delegation will not make "every created user to have to go through manual authorization" or affect any other non-service account related behavior
• the only thing domain-wide delegation does is to allow a service account to represent a user
• Without enabling domain-wide delegation the impersonaiton of a user will not be authorized and setting a subject will throw you an error

References:

• https://support.google.com/a/answer/162106?hl=en
• https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority
• https://developers.google.com/admin-sdk/directory/v1/guides/delegation