I am attempting to manage email aliases with a user I set up in the Google Directory console, but am running into a surprising permission issue.
I have created an admin role within the google directory console that has two API privileges: Read users, and Add/Remove aliases:
Below is code that I have written to manage the aliases. I should note that this code is known to work for a super-admin account; it's only on this account with more limited permissions that it's not working.
import { google } from 'googleapis'
const apiUser = '[email protected]'
const targetAlias = '[email protected]'
const directoryAuth = new google.auth.JWT(
client_email,
undefined,
private_key,
['https://www.googleapis.com/auth/admin.directory.user','https://www.googleapis.com/auth/admin.directory.user.alias'],
apiUser
);
const service = google.admin({version: 'directory_v1', auth:directoryAuth});
// Get current aliases -- this part works
const getUserResponse = await service.users.get({
userKey:apiUser
});
const currentAliases = getUserResponse.data.aliases
// Add aliases: - returns 403 with message "Not Authorized to access this resource/api"
await service.users.aliases.insert({
userKey:apiUser,
requestBody:{
alias: targetAlias
}
});
The code above fails on the last line when it attempts to insert, returning:
code: 403,
errors: [
{
message: 'Not Authorized to access this resource/api',
domain: 'global',
reason: 'forbidden'
}
]
According to the Method: users.aliases.insert docs here, the alias endpoint needs one of three permissions:
Requires one of the following OAuth scopes:
1. https://apps-apis.google.com/a/feeds/alias/
2. https://www.googleapis.com/auth/admin.directory.user
3. https://www.googleapis.com/auth/admin.directory.user.alias
Is there a different set of API privileges I should be checking to satisfy the roles above?