20

I am new to working with Google API but I have a project that requires me to access their domain to find a user's manager by email. Before I started on the code I wanted to set everything up so I followed the example file for PHP. I was able to get it to work but had some issues with refreshing the token once it expired and research pushed me towards using a Service Account, as this is a server cron script and I don't want to deal with any user interactions.

I created the Service Account, enabled G Suite Domain-wide Delegation, and added access for: https://www.googleapis.com/auth/admin.directory.user.readonly

I get a Google_Service_Exception with my script.

The response is:

{
 "error": {
  "errors": [
   {
    "domain": "global",
    "reason": "notFound",
    "message": "Domain not found."
   }
  ],
  "code": 404,
  "message": "Domain not found."
 }
}

I am assuming this means it doesn't know the accounts domain but I don't see how I can resolve this. I assume that if this was a permissions issue, Google would tell me. I tried searching online but no luck as the issues I found were using a different method and the fixes weren't something that could be done on the Service Account. I am stuck right now so I hope a push in the right direction will get me on track.

This is the test script I am using:

<?php

require_once( __DIR__. '/vendor/autoload.php' );

define('CREDENTIALS_PATH', '/path/to/service_account.json');

define('SCOPES', implode(' ', array(
        Google_Service_Directory::ADMIN_DIRECTORY_USER_READONLY)
));

date_default_timezone_set('America/New_York');

/**
 * Returns an authorized API client.
 * @return Google_Client the authorized client object
 */
function getClient() {
    $client = new Google_Client();
    $client->setApplicationName('TestingApp');
    $client->setAuthConfig(CREDENTIALS_PATH);
    $client->setScopes(SCOPES);

    return $client;
}   

// Get the API client and construct the service object.
$client = getClient();
$service = new Google_Service_Directory($client);

// Print the first 10 users in the domain.
$optParams = array(
    'customer' => 'my_customer',
    'maxResults' => 10,
    'orderBy' => 'email',
);
$results = $service->users->listUsers($optParams);

if (count($results->getUsers()) == 0) {
    print "No users found.\n";
} else {
    print "Users:\n";
    foreach ($results->getUsers() as $user) {
        printf("%s (%s)\n", $user->getPrimaryEmail(),
            $user->getName()->getFullName());
    }
}

My service_account.json contains (cleaned obviously)

{
    "type": "service_account",
    "project_id": "PROJECT_ID",
    "private_key_id": "PRIVATE_KEY_ID",
    "private_key": "PRIVATE_KEY",
    "client_email": "SERVICE_ACCOUNT_EMAIL.iam.gserviceaccount.com",
    "client_id": "CLIENT_ID",
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://accounts.google.com/o/oauth2/token",
    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_IDENTIFIER.iam.gserviceaccount.com"
}

Thanks for any assistance on this.

Jeremy
  • 1,878
  • 2
  • 30
  • 54
  • try creating a user object into the schema as shown in this thread http://stackoverflow.com/questions/23767994/404-resource-not-found-domain-with-google-direcotry-api. – Pritish Vaidya Oct 14 '16 at 21:57
  • He is adding a user, not exactly the same case but I still tried to use an object to make the request. Ruby's API is a bit different so I didn't have the same methods by what I was able to get still gave me the same error so I assume I did it correctly. I am currently going over the API code myself to see if I can understand how to use it better than their docs. Thanks for the attempt – Jeremy Oct 15 '16 at 03:47

3 Answers3

16

Okay, this was a very easy step to overlook but it was an extremely simple fix.

The issue here was that the domain for the account was not identified. I was under the impression that the service account was already attached to the domain but that is not the case. So the fix is just one line of code to add to the client to set it to a user that is in the domain (for my case).

The fix for me was to add:

$client->setSubject('account@domain.com');

to my getClient method.

so now the method looks like:

/**
 * Returns an authorized API client.
 * @return Google_Client the authorized client object
 */
function getClient() {
    $client = new Google_Client();
    $client->setApplicationName('TestingApp');
    $client->setAuthConfig(CREDENTIALS_PATH);
    $client->setScopes(SCOPES);
    $client->setSubject('account@domain.com');
    return $client;
}

I saw this mentioned in the API but it states it as optional. Hopefully this will help someone else too.

Jeremy
  • 1,878
  • 2
  • 30
  • 54
2

for me was the same error, but i needed to share my calendar with service account email (that found in json auth file). After that, error dissapeared.

Tomas Šivickas
  • 977
  • 9
  • 10
0

For my case it was the domain value I passed with listUsers() function caused this error. Let's say my domain for GSuite is xyz.com and I tried with something like this

$dir = new \Google_Service_Directory($googleClient);
$dir->users->listUsers(array('domain' => 'abc.com', 'maxResults' => 500));

Instead I should use the correct domain name for value of the 'domain' like below.

$dir = new \Google_Service_Directory($googleClient);
$dir->users->listUsers(array('domain' => 'xyz.com', 'maxResults' => 500));
Anton Perera
  • 353
  • 3
  • 9