I get a 400 error when accessing the Google API admin/directory in Go

I have a project where all users have a Google account which is centrally managed via G-Suit. Now I need to have all G-Suit users available in my backend, so that it is possible to search for users even if they never log in to my tool. Therefore I thought it is best that the backend is connected to Google via a service account to load the users from their API.

For the authentication I generated a key-pair from the google cloud console for a service account (with owner rights for testing), saved it as json and passed it to the application. After that, I used the returned service to start the API call that was supposed to return the users, unfortunately it only ever returns a 400 error.

I've already tried to narrow down the problem a bit, and as far as I've seen from the debugger, there's a bearer token missing from the header, otherwise I haven't seen anything else out of the ordinary, so I'm assuming it's an authentication problem, but it could also be a different problem altogether.

Here is my code:

import (
    "context"
    admin "google.golang.org/api/admin/directory/v1"
    "google.golang.org/api/option"
    "log"
)

func Test() error {

    ctx := context.Background()
    adminService, err := admin.NewService(ctx, option.WithCredentialsFile("./client-secret.json"))

    if err != nil {
        return err
    }

    res, err := adminService.Users.List().Customer("my_customer").Projection("full").MaxResults(500).Do()
    if err != nil {
        return err
    }

    log.Printf("Result: %v\n", res)

    for _, u := range res.Users {
        println(u.PrimaryEmail)
    }

    return nil
}

This is the resulting log message googleapi: Error 400: Invalid Input, invalid

I am trying to load from the Google API all the users in my organisation, unfortunately I get a 400 error every time I try, which I don't quite understand why as I use the Google API library for go.

SUGGESTION

NOTE: This is intended to serve as a starting point or reference for your project. It's important to note that the community members do not provide coding services.

I'm not an expert in Golang, but the concept of using Google APIs with service accounts is similar across most programming languages. Here are some steps to follow when using a Google API with a service account:

1. Set up Domain-Wide Delegation for your service account.
2. Use the subject parameter when configuring your credential to specify the Super Admin email address that your service account should impersonate. This ensures that the service account has the necessary permissions to perform the required actions. You can refer to this related Golang reference more information on configuring the subject parameter & more.

Here's a demonstration:

On my end, I tested the Admin SDK API using Python, and I encountered a 400 error:

To resolve it, I made sure to properly set up Domain-Wide Delegation and specify the subject parameter when creating the service account credentials. After doing this, I was able to use the Admin SDK API without any issues:

I hope this will help you make progress with your current project.