We are setting up an easy way to provision new G Suite customers and our project is already capable of creating customers and the respective subscriptions. But users only get some welcome mail from Google and are being told to login. When trying to create the first user through the admin directory api all we get is this:
googleapi: Error 403: Access Not Configured. Admin Directory API has not been used in project xxx before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/admin.googleapis.com/overview?project=xxx then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry., accessNotConfigured"
(sensitive information marked with xxx)
The API client is built using the same method as the reseller client and all this is done through our domain-wide delegated service account with the required scopes set in (our) G Suite.
When using the Reseller Console to jump into the new customers admin interface, the API's there are enabled (default).
The docs online don't really tell something about this and just describe how to create the user but no limitations are listed.
We are using the Golang libraries, the user insert looks like this:
...
usr, err := adm.Users.Insert(trial.User).Do()
if err != nil {
...
}
...
err = adm.Users.MakeAdmin(usr.PrimaryEmail, &admin.UserMakeAdmin{
Status: true,
}).Do()
if err != nil {
...
}
...
The API client is build like this:
const envVar = "GOOGLE_APPLICATION_CREDENTIALS"
if filename := os.Getenv(envVar); filename != "" {
serviceAccountJSON, err := ioutil.ReadFile(filename)
if err != nil {
log.Fatal("creating oauth client failed", zap.Error(err))
}
config, err := google.JWTConfigFromJSON(serviceAccountJSON,
reseller.AppsOrderScope,
admin.AdminDirectoryUserScope,
)
adminClient = config.Client(ctx)
config.Subject = *impersonationUser
resellerClient = config.Client(ctx)
}
res, _ := reseller.New(resellerClient)
adm, _ := admin.New(adminClient)
