I am building a mailing list for customers using Google Groups. I am trying to programmatically sync customer email addresses from a contact database to a preexisting Google Group using the Cloud Identity API (link). It works for email addresses in our organization, but I am getting a 403 for non-Google addresses when invoking the create method for the groups.membership resource (link). The specific error is Error(2028): Permission denied for resource groups/******** (or it may not exist).
I am hoping that non-Google email addresses can be added to groups with the API. Below are variations of what I have tried so far.
Configuration Details
- Create a project in GCP specifically for this automation.
- Create a service account in the project.
- Enable domain wide delegation for the service account with the following scopes:
- Enable "Group owners can allow external members" in Groups for Business section of Admin console.
- Set "Who can join group" in group settings to "Invited users only" and "Anyone on the web can ask".
- Enable "Allow external members" in group settings.
Request Details
- Authenticate as service account (who is a group owner).
- Impersonate user from service account (user is group owner and creator).
- Set
preferred_member_key.EntityKey.idto customer's email address. - Set
roles[].MembershipRole.nametoMEMBER.
I have also confirmed that the email address can be added through the Groups UI. My suspicion is that it has to do with the EntitityKey (link), but I haven't found a value that works.
I could not find out whether this is possible with the Cloud Identity API. But it is possible to add external users to a Google Group using the Admin SDK, specifically the
members.insertmethod for the Directory API (link). Just make sure that theMemberin your request hastypeset toEXTERNAL.