I'm developing an app that uses a service account to manage events in a calendar and takes informations about the buildings set in the workspace. I'm generating a jwt token that allows me after calling https://oauth2.googleapis.com/token to have a proper token to perform authenticated requests at google's rest api.
This has success when I ask for event's of a specific calendar but fails with error 403 when I ask for buildings at this api endpoint https://admin.googleapis.com/admin/directory/v1/customer/ CUSTOMER_ID/resources/buildings. Is there something I'm missing?
I'm using those scopes:
And the service account has the permission
The jwt token is generated using python with this series of commands:
# scopes is an input variable
# service_account_info is the json object obtained generating a key for the service account
scopes.append("https://www.googleapis.com/auth/cloud-platform")
# Create the JWT payload
payload = {
'iss': service_account_info['client_email'],
'aud': 'https://oauth2.googleapis.com/token',
'scope': ' '.join(scopes),
'iat': time.time(),
'exp': time.time() + 3600
}
signer = google.auth.crypt.RSASigner.from_service_account_info(service_account_info)
jwt_token = google.auth.jwt.encode(signer, payload)
The request to the rest api is a GET with in the headers an Autorization: Bearer {jwt}