probrem
I am Google workspace user and using Google Compute Engine. I enabled OS login for our project, then login username changed to username_with_domain_suffix.
Now I would like to change my username as username with enabled-OS login, so I checked following document and ask workspace admin to turn checkbox [OS Login API and Include domain suffix in user names generated by the OS Login API ] off in Google Admin Console.
Although our admin change settings, my login user does not change and still being username_with_domain_suffix. Are there any other settings required to login with user without domain suffix? Thanks.
reference
change / set gcloud os login username?
Even the check box turned off at Google admin, previously created username won't change. Only the new os-login user will be affected. I think this is because the (posix) username is created at first use of os-login and do not change after that.
In this case, you can use Google Directory API to update your existing posix account information stored at Google Directory.
I had exact same issue and was able to update my posix username with that.
Reference: https://cloud.google.com/compute/docs/oslogin/manage-oslogin-in-an-org#modify-users
API: https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/update
You'd need to be a Google Workspace Admin(not GCP) to update it. I used "Try this method" in the API link. No need to write a code. But be careful, you may ruin your account info there.
Related
I have created an App in Google AppMaker and have shared the Deployment to Anyone with the link can view (No sign-in required).
Application Access in Deployment Settings is set to "Do not restrict access to this application".
Application is set to runs with Developer Account.
However, if someone try to access the app with the..
..Deployment URL (https://script.google.com/macros/.../exec), they get redirected to login screen (https://accounts.google.com/signin/...),
the app does open correctly after signing in, but the sign-in shouldn't be required.
..Link to share (https://drive.google.com/file/.../view), they get: No preview available
I switched once to "Application set to runs with User Account", but results remains same. Actually, I reset this setting as I consider "Application set to runs with User Account" to require User authentication in order to load their assigned permission.
I most probably missed something on the way of sharing my app.
Can someone please help?
Let me know if you require more details about this case.
Thanks!!
You can't.
Note: App Maker apps are only available to users in your G Suite domain. You can't share them with external users.
To make sure only users on your domain can access it, users need to sign-in.
I am creating an application in which I am getting a Client_secret.json file, and in my application I'm trying to load that json file and get the credentials from it using the following code:
credentials=get_credentials(filename)
http = credentials.authorize(httplib2.Http())
service = discovery.build('admin', 'directory_v1', http=http)
userinfo = {'primaryEmail': primaryEmail,
'name': { 'givenName':user },
'password': password
}
service.users().insert(body = userinfo).execute()
It gives the following error:
httpError 403 when requesting https
//www.googleapis.com/admin/directory/v1/users?alt=json returned
insufficient permission
I'm not sure what I'm doing wrong or am I missing something? I was wondering if the problem is in the json file which I'm creating?
Any help would be appreciated.
Thanks,
Aman
Well, you can start by checking a few things:
If you're using a service account, be sure to enable the "wide domain delegation option" to allow a service account to access user data on behalf of your users and perform operations.
Check if the scope https //www.googleapis.com/admin/directory/v1/users is authorized for your client ID on your google admin console > Security > Advanced settings > Authentication > Manage API client access.
Check if the user that you're using to insert the new user have enough privileges a.k.a super admin privileges.
Check if the Admin SDK API is active on your project.
Keep in mind that just downloading the client_json and activating a API isn't enough to allow these types of operations. For certain APIs like Admin SDK, the user you're gonna use to consume those services need to have specific privileges.
Here's a few helpful links
https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
https://support.google.com/a/answer/162106?hl=en
I would first check to make sure that you have the correct Admin privileges on the account that you are trying to use OAuth credentials on. I would try logging into the account and going to this reference page in the Directory API for Users:insert
https://developers.google.com/admin-sdk/directory/v1/reference/users/insert
On the right hand side you should go to the Try this API section and see if that account has permissions to create new users.
Also another thing I noticed as well, is that you're not setting the required field familyName inside of the name field. familyName is a required property.
I was trying to run the sample script of Google Apps Script here:
https://github.com/googlesamples/apps-script-oauth2/blob/master/samples/GoogleServiceAccount.gs
I believe I set PRIVATE_KEY, CLIENT_EMAIL and USER_EMAIL correctly from JSON file downloaded from Google Developer Console. Also I enabled Google Drive API on the project. But still I get an error in the dialog "Error: invalid_client\n no application name".
Is there any code I should add / change to run this sample script correctly?
In case you are using the correct settings (PRIVATE_KEY,CLIENT_EMAIL and a valid USER_EMAIL), the error could also be related to the permission granted to the application from the domain admin.
Since this example uses domain wide delegation of authority to impersonate the account from the USER_EMAIL, first the domain admin has to grant permissions to the application to perform this kind of operations.
To grant this permissions to the app you can do it by going to: your Admin Console -> Security -> Advanced Settings -> Manage API client access
There you will add the service account CLIENT_ID in the field "Client Name" and in the second field you will add your project scopes separated by commas. These scope should match the scopes that the application uses. In this case id Drive scope and any other you may be using.
Click the button "Authorize" and if everything goes well, then you will be able to impersonate users in your domain with that project.
Here is the related documentation. I hope this helps.
I am using an API Console type Service user to create and share files with users. The name of the Service user appears in the UI as a long, unintelligible string. How can I change it please?
It's not possible to edit the Google profile of a service account, therefore you can't modify the display name.
I have a web app in php mysql, I want to use one google drive account for my app.
Can I use my app's accounts instead of google users for privilages.
I read in SDK I can use service account to login without promting user, but I don't know how to share or give permissions files for custom users.
In api reference I found this:
"The user is not necessarily yet a Google user (e.g. if a file or folder is shared with an email address that does not yet have an associated Google account). Example: 1111459233037698895607".
How a custom user in my app should get a token for own privilages.
I am not exactly sure what you want to achieve here, but if you want to use your own permission system, you can't. You can, however, apply read/write/owner permissions to files to mirror your own permissions.
If I have totally got the wrong idea, please explain.