GAM denies scopes when using service account. #1847
Description
Hi, we are using google cloud and GAM v7.27.00 . When we work with oauth2 it allows us to work perfectly with the scopes assigned to our users. But when we try to work with service account the moment we do 'gam user [email protected] check serviceaccount' all scopes fail. We checked the domain wide delegation and the SV client_id is correctly added. I also checked admin_email and tested both my email and the super admin email. I also checked 'user_service_account_access_only = true'. I will leave some code of the error and the scopes that fail. Thanks!
gam@1a286d377a9e:/home$ gam info domain
ERROR: Caller does not have access to the customers reporting data.
ERROR: Reauthentication is needed, please run
gam oauth create
When is do gam user [email protected] check serviceaccount:
System time status
Your system time differs from admin.googleapis.com by less than 1 second PASS
Service Account Private Key Authentication
Authentication PASS
Service Account Private Key age; Google recommends rotating keys on a routine basis
Service Account Private Key age: 2 days PASS
Domain-wide Delegation authentication:, User: [email protected], Scopes: 43
https://mail.google.com/ FAIL (1/43)
https://www.googleapis.com/auth/analytics.readonly FAIL (2/43)
https://www.googleapis.com/auth/apps.alerts FAIL (3/43)
https://www.googleapis.com/auth/apps.groups.migration FAIL (4/43)
https://www.googleapis.com/auth/calendar FAIL (5/43)
https://www.googleapis.com/auth/chat.admin.delete FAIL (6/43)
https://www.googleapis.com/auth/chat.admin.memberships FAIL (7/43)
https://www.googleapis.com/auth/chat.admin.spaces FAIL (8/43)
https://www.googleapis.com/auth/chat.customemojis FAIL (9/43)
https://www.googleapis.com/auth/chat.delete FAIL (10/43)
https://www.googleapis.com/auth/chat.memberships FAIL (11/43)
https://www.googleapis.com/auth/chat.messages FAIL (12/43)
https://www.googleapis.com/auth/chat.spaces FAIL (13/43)
https://www.googleapis.com/auth/classroom.announcements FAIL (14/43)
https://www.googleapis.com/auth/classroom.coursework.students FAIL (15/43)
https://www.googleapis.com/auth/classroom.courseworkmaterials FAIL (16/43)
https://www.googleapis.com/auth/classroom.profile.emails FAIL (17/43)
https://www.googleapis.com/auth/classroom.profile.photos FAIL (18/43)
https://www.googleapis.com/auth/classroom.rosters FAIL (19/43)
https://www.googleapis.com/auth/classroom.topics FAIL (20/43)
https://www.googleapis.com/auth/cloud-identity.devices FAIL (21/43)
https://www.googleapis.com/auth/contacts FAIL (22/43)
https://www.googleapis.com/auth/contacts.other.readonly FAIL (23/43)
https://www.googleapis.com/auth/datastudio FAIL (24/43)
https://www.googleapis.com/auth/directory.readonly FAIL (25/43)
https://www.googleapis.com/auth/documents FAIL (26/43)
https://www.googleapis.com/auth/drive FAIL (27/43)
https://www.googleapis.com/auth/drive.activity FAIL (28/43)
https://www.googleapis.com/auth/drive.admin.labels FAIL (29/43)
https://www.googleapis.com/auth/drive.labels FAIL (30/43)
https://www.googleapis.com/auth/drive.readonly FAIL (31/43)
https://www.googleapis.com/auth/forms.body FAIL (32/43)
https://www.googleapis.com/auth/forms.responses.readonly FAIL (33/43)
https://www.googleapis.com/auth/gmail.modify FAIL (34/43)
https://www.googleapis.com/auth/gmail.settings.basic FAIL (35/43)
https://www.googleapis.com/auth/gmail.settings.sharing FAIL (36/43)
https://www.googleapis.com/auth/keep FAIL (37/43)
https://www.googleapis.com/auth/meetings.space.created FAIL (38/43)
https://www.googleapis.com/auth/meetings.space.readonly FAIL (39/43)
https://www.googleapis.com/auth/meetings.space.settings FAIL (40/43)
https://www.googleapis.com/auth/spreadsheets FAIL (41/43)
https://www.googleapis.com/auth/tasks FAIL (42/43)
https://www.googleapis.com/auth/userinfo.profile FAIL (43/43)
Deprecated scopes that GAM should NEVER have DwD access to:, User: [email protected], Scopes: 3
https://www.googleapis.com/auth/cloud-identity PASS (1/3)
https://www.googleapis.com/auth/cloud-platform PASS (2/3)
https://www.googleapis.com/auth/iam PASS (3/3)
Some scopes FAILED or should be DISABLED!
To update authorization, please go to the following link in your browser:
https://gam-shortn.appspot.com/xxxxxx
You will be directed to the Google Workspace admin console Security > API Controls > Domain-wide Delegation page
The "Add a new Client ID" box will open
Make sure that "Overwrite existing client ID" is checked
Click AUTHORIZE
When the box closes you're done
After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.