使用C#.Net中的服务帐户访问Google保险柜

时间:2018-12-22 18:37:56

标签: c# google-contacts google-vault-api

我已经成功使用以下代码通过我们的服务帐户访问了Gmail用户的帐户(使用gmail作用域和gmail服务对象除外)。但是,使用相同的方法无法成功访问保管库。

/* Example of service-account-credentials.json file:
{
 "type": "service_account",
 "project_id": "[REDACTED]",
 "private_key_id": "[REDACTED]",
 "private_key": "[REDACTED]",
 "client_email": "[REDACTED].gserviceaccount.com",
 "client_id": "[REDACTED]",
 "auth_uri": "https://accounts.google.com/o/oauth2/auth",
 "token_uri": "https://oauth2.googleapis.com/token",
 "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
   "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/[REDACTED]"
 }
*/

// parsed to my ServiceAccountKey class as follows:

//check "type" == "service_account"
//ServiceAccount.Project = "project_id"
//ServiceAccount.Id = "private_key_id"
//ServiceAccount.Private = "private_key"
//ServiceAccount.Client = "client_id"
//ServiceAccount.Email = "client_email"
//ServiceAccountKey.Auth == "auth_uri"
//ServiceAccountKey.Token == "token_uri"
//ServiceAccountKey.Provider == "auth_provider_x509_cert_url"
//ServiceAccountKey.Credential == "client_x509_cert_url"

ServiceAccountKey sak = new ServiceAccountKey(@"C:\Temp\service-account-credentials.json");

ServiceAccountCredential.Initializer saci = new ServiceAccountCredential.Initializer(sak.Email, sak.Token.AbsoluteUri);

saci.User = "[REDACTED]";  // should I be specifying the user who has Vault access?
saci.Scopes = new[] { VaultService.Scope.EdiscoveryReadonly };

ServiceAccountCredential sac = new ServiceAccountCredential(saci.FromPrivateKey(sak.Private));

BaseClientService.Initializer bcsi = new BaseClientService.Initializer();

bcsi.HttpClientInitializer = sac;
bcsi.ApplicationName = sak.Project;

VaultService vs = new VaultService(bcsi);

MattersResource.ListRequest lr = vs.Matters.List();
lr.PageSize = 10;
ListMattersResponse lmr = lr.Execute();

使用实际用户时,例如使用saci.User =“ google-vault-admin@company.com”时出现以下错误:

错误:“ unauthorized_client”,说明:“未授权客户端使用此方法检索访问令牌。”,Uri:“”

但是,当在没有委派用户的情况下使用服务帐户(或通过指定saci.User = sak.Email)时,出现错误:

该用户不属于任何Dasher客户

如果我对Google Vault Admin帐户使用OAuth2方法(即通过浏览器登录到Google Vault的帐户),则可以通过我的程序成功访问Vault。但是,我想将服务帐户用于服务器端流程。是否对我要去哪里出错或是否可以使用服务帐户访问Google保险柜有任何想法? ({https://console.developers.google.com/apis/credentials?..。)的权限部分建议服务帐户对Vault API访问有效。我已经正确设置了作用域和凭据,它与Gmail相似,已经成功了。

服务帐户的电子邮件地址是否需要Google保险柜许可证?

(注意:有趣的是,我在Java中尝试了类似的方法并获得了401)。

0 个答案:

没有答案
相关问题
最新问题