Use the Google Cloud Identity API for Google Groups

Stéphane Giron
Aug 28 · 2 min read

As an admin you can use the Admin SDK API to manage your domain and manage your Google Groups, but now Google also create a dedicated entry in the Cloud Identity API to manage Groups.

Image for post
Image for post

Find in this article some REST and Apps Script code to query the Cloud Identity API.

Helper functions

To use the API we need to helper functions in order to get some parameters for querying it.

function getCustomerId(){
var me = AdminDirectory.Users.get(Session.getEffectiveUser().getEmail())
Logger.log(me.customerId)
return me.customerId
}

Customer ID is needed to retrieve all groups of your domain.

function getGroupName(email){
var url = "https://cloudidentity.googleapis.com/v1beta1/groups?parent=customers/"+getCustomerId();
var param = {
method : "get",
headers : {"Authorization": "Bearer " + ScriptApp.getOAuthToken()},
// muteHttpExceptions:true,
};
var pageToken ;
do{
var page = JSON.parse(UrlFetchApp.fetch(url,param).getContentText());
if(page.groups && page.groups.length > 0){
for(var i = 0; i< page.groups.length;i++){
if(page.groups[i].groupKey.id === email){
return page.groups[i].name
}
}
}
pageToken = page.nextPageToken
}while(pageToken)
throw "Can't find Group Name for the email specified";
}

To get user in a groups or manage the group you will need its group name and it is not the email so you will need to find it.

List and get users for a groups

Here the code to list Groups of your domain with the Cloud Identity API.

function listGoogleGroups() {
var url = "https://cloudidentity.googleapis.com/v1beta1/groups?parent=customers/"+getCustomerId();
var param = {
method : "get",
headers : {"Authorization": "Bearer " + ScriptApp.getOAuthToken()},
// muteHttpExceptions:true,
};
var pageToken ;
var results = [];
do{
var page = JSON.parse(UrlFetchApp.fetch(url,param).getContentText());
if(page.groups && page.groups.length > 0){
for(var i = 0; i< page.groups.length;i++){
var group = page.groups[i]
results.push([group.name,group.groupKey.id,group.displayName])

}
}
pageToken = page.nextPageToken
}while(pageToken)
Logger.log(results);
}

And here the code to get the user in a groups with the Cloud Identity API

function getGroupsMemberships(){
var email = 'support@cloud34.fr';
var url = 'https://cloudidentity.googleapis.com/v1beta1/'+getGroupName(email)+'/memberships';
var param = {
method : "get",
headers : {"Authorization": "Bearer " + ScriptApp.getOAuthToken()},
// muteHttpExceptions:true,
};
var pageToken ;
var results = [];
results.push(['Email','Role','Id'])
do{
var page = JSON.parse(UrlFetchApp.fetch(url,param).getContentText());
if(page.memberships && page.memberships.length > 0){
for(var i = 0; i< page.memberships.length;i++){
var user = page.memberships[i]
results.push([user.preferredMemberKey.id,user.roles[0].name,user.name])
}
}
pageToken = page.nextPageToken
}while(pageToken)
Logger.log(results);
}

The cloud identoty API is a more generic API than the Admin SDK that is why you can’t go directly find details by email but it will provide more features of you are for example using groups in a GCP application.

Find the code on GithHub : link

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store