google admin sdk - How can I access group members with a service account? -

i attempting use service account access members of group. have verified can using normal oauth2 token on behalf of user, call https://www.googleapis.com/admin/directory/v1/groups/{group}/members , scope https://www.googleapis.com/auth/admin.directory.group.readonly.

i’d same service account, , have added service account email address group member , verified view members permissions set “all members of group, organization members”.

when ask list of members, receive error:

{  "error": {   "errors": [    {     "domain": "global",     "reason": "forbidden",     "message": "not authorized access resource/api"    }   ],   "code": 403,   "message": "not authorized access resource/api"  } } 

what need authorize service account see group?

you can follow steps outlined in following api docs page create service account , perform domain wide delegation of authority, please bear in mind need email address of user member of group (useremail in code snippet below) service account can act on behalf:

https://developers.google.com/admin-sdk/directory/v1/guides/delegation

the page includes java , python examples of how instantiate com.google.api.services.admin.directory.directory object using service account , private key created on google developers console

 googlecredential credential = new googlecredential.builder()   .settransport(httptransport)   .setjsonfactory(jsonfactory)   .setserviceaccountid(service_account_email)   .setserviceaccountscopes(directoryscopes.admin_directory_users)   .setserviceaccountuser(useremail)   .setserviceaccountprivatekeyfromp12file(       new java.io.file(service_account_pkcs12_file_path))   .build();