问题描述

是否可以使用服务帐户访问Google Admin Report SDK?

Is it possible to use a service account to access the Google Admin Report SDK?

我有一个非常基本的示例，我试图运行，但总是返回400错误.我已经验证了密钥和服务ID的正确性，甚至已经将权限委派给了该服务帐户.这是不可能的吗?有人有什么想法吗?

I have a very basic example I am trying to run and I always get a 400 error returned. I have validated the key and service ID are correct and I have even delegated authority to this service account. Is this just not possible? Anyone have any ideas?

PrivateKey serviceAcountPrivateKey = null;
    try (InputStream resourceAsStream = getClass().getClassLoader().getResourceAsStream("insta2.p12")) {
        serviceAcountPrivateKey = SecurityUtils.loadPrivateKeyFromKeyStore(
                SecurityUtils.getPkcs12KeyStore(), resourceAsStream, "notasecret",
                "privatekey", "notasecret");
    } catch (IOException | GeneralSecurityException e) {
        throw new RuntimeException("Error loading private key", e);
    }
    try {
        HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();
        JsonFactory jsonFactory = JacksonFactory.getDefaultInstance();
        // Build service account credential.
        GoogleCredential credential = new GoogleCredential.Builder()
                .setTransport(httpTransport)
                .setJsonFactory(jsonFactory)
                .setServiceAccountId("[email protected]")
                .setServiceAccountPrivateKey(serviceAcountPrivateKey)
                .setServiceAccountScopes(
                        Arrays.asList(
                                ReportsScopes.ADMIN_REPORTS_USAGE_READONLY,
                                ReportsScopes.ADMIN_REPORTS_AUDIT_READONLY))
                .build();
        Reports service = new Reports.Builder(httpTransport, jsonFactory, credential)
                .setApplicationName("APP_NAME_BLOCKED")
                .build();

        service.activities().list("all", "admin").execute();

    } catch (GeneralSecurityException | IOException e) {
        throw new RuntimeException("Error init google", e);
    }

我得到的错误如下:

{ 代码":401， 错误":[{ "domain":"global"， "location":授权"， "locationType":"header"， "message":访问被拒绝.您无权读取活动记录."， 原因":"authError" }]， "message":访问被拒绝.您无权读取活动记录."}

{ "code" : 401, "errors" : [ { "domain" : "global", "location" : "Authorization", "locationType" : "header", "message" : "Access denied. You are not authorized to read activity records.", "reason" : "authError" } ], "message" : "Access denied. You are not authorized to read activity records."}

推荐答案

对于所有想知道的人，如果您不使用电话

For all of those wondering, if you do not use the call

.setServiceAccountUser(管理员电子邮件地址")

.setServiceAccountUser("admins email address")

在GoogleCredential对象上，则将如上所述失败.这有点令人困惑，因为服务帐户本身没有访问报告的权限，但是它确实能够承担具有以下职责的帐户的角色:

on the GoogleCredential object then this will fail as above. It is a little confusing as the service account on it's own does not have permission to access the reports, but it does have the ability to assume the role of an account that does...

这篇关于使用服务帐户访问Google Admin Report SDK的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！