Updated gam report <ActivityApplictionName> to retry/handle the following error:

ERROR: 503: serviceNotAvailable - The service is currently unavailable.
Added option admin <EmailAddress> to gam upload sakey.
2026-06-21 14:41:37 +00:00 · 2024-05-01 13:33:13 -07:00 · 2024-04-26 09:16:22 -07:00 · 2024-04-26 08:33:50 -07:00 · 2024-04-25 22:23:16 -07:00 · 2024-04-25 08:46:14 -07:00
11 changed files with 434 additions and 62 deletions
--- a/docs/Authorization.md
+++ b/docs/Authorization.md
@@ -31,6 +31,7 @@
  - [Update an existing Service Account key](#update-an-existing-service-account-key)
  - [Replace all existing Service Account keys](#replace-all-existing-service-account-keys)
  - [Delete Service Account keys](#delete-service-account-keys)
+  - [Upload a Service Account key to a service account with no keys](#upload-a-service-account-key-to-a-service-account-with-no-keys)
  - [Display Service Account keys](#display-service-account-keys)
 - [Manage Service Account access](#manage-service-account-access)
  - [Full Service Account access](#full-service-account-access)
@@ -205,12 +206,15 @@ perform these steps and then retry the create project command.
 * Click in the Select a role box
 * Type project creator in the Filter box
 * Click Project Creator
+* Click + Add Another Role
+* Type organization policy administrator in the Filter box
+* Click Orgainzation Policy Administrator
 * Click Save

 ## Authorize Service Account Key Uploads

-If you try to create a project and get an error saying that Constraint `constraints/iam.disableServiceAccountKeyUpload violated for service account projects/gam-project-xxx`
-perform these steps and then retry the create project command.
+If you try to create a project and get an error saying that Constraint `constraints/iam.disableServiceAccountKeyUpload violated for service account projects/gam-project-xxx`,
+perform these steps and then you should be able to authorize and use your project.

 * Login as an existing super admin at console.cloud.google.com
 * In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
@@ -242,9 +246,9 @@ perform these steps and then retry the create project command.
 * Click Done
 * Click Set Policy

-Do the following to upload the service account key:
+Wait a couple of minutes for the policy updates to complete and then do the following to upload the service account key:
 ```
-gam update sakey
+gam upload sakey [admin <EmailAddress>]
 ```

 ## Authorize GAM to create projects
@@ -856,10 +860,26 @@ delete a service account key for a distributed copy of an `oauth2service.json` f
 that user's service account access.

 You can disable your current Service Account key if you specify the `doit` argument. This is your
-acknowledgement that you will have to manually create a new Service Account key in the Developer's Console.
+acknowledgement that you will have to manually create a new Service Account key in the Developer's Console
+or upload a new key with the `gam upload sakey` command.
 ```
 gam delete sakeys <ServiceAccountKeyList>+ [doit]
 ```
+## Upload a Service Account key to a service account with no keys
+There are two cases where you will use this command:
+* Your workspace is configured to disable service account private key uploads and you are creating a project.
+* All of your service account keys have been deleted, either manually or with the `gam delete sakeys` command.
+
+The `oauth2service.json` file is updated with the new private key. If you had previously distributed
+any `oauth2service.json` file to other users, you must redistribute the updated file with the new key.
+```
+gam upload sakey [admin <EmailAddress>]
+        (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION 
+         yubikey_serialnumber <Number>
+         [localkeysize 1024|2048|4096])
+```
 ## Display Service Account keys
 There are system keys and user keys; user keys are what Gam uses; GCP uses system keys.

--- a/docs/GamUpdates.md
+++ b/docs/GamUpdates.md
@@ -10,6 +10,29 @@ Add the `-s` option to the end of the above commands to suppress creating the `g

 See [Downloads](https://github.com/taers232c/GAMADV-XTD3/wiki/Downloads) for Windows or other options, including manual installation

+### 6.75.02
+
+Updated `gam report  <ActivityApplictionName>` to retry/handle the following error:
+```
+ERROR: 503: serviceNotAvailable - The service is currently unavailable.
+```
+
+### 6.75.01
+
+Added option `admin <EmailAddress>` to  `gam upload sakey`.
+
+### 6.75.00
+
+Updated `gam create project` to simplify handling the situation where your workspace is configured to disable service account private key uploads.
+
+Added command `gam upload sakey` to aid in this process.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Authorization#upload-a-service-account-key-to-a-service-account-with-no-keys
+
+### 6.74.02
+
+Fixed bug in `gam <UserTypeEntity> print shareddrives ... formatjson` that caused a trap.
+
 ### 6.74.01

 Updated `gam create|update drivefileacl <DriveFileEntity> ... expiration <Time>` to handle
--- a/docs/How-to-Upgrade-from-Standard-GAM.md
+++ b/docs/How-to-Upgrade-from-Standard-GAM.md
@@ -335,7 +335,7 @@ writes the credentials into the file oauth2.txt.
 admin@server:/Users/admin/bin/gamadv-xtd3$ rm -f /Users/admin/GAMConfig/oauth2.txt
 admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam version
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: /Users/admin/GAMConfig/oauth2.txt, Not Found
-GAMADV-XTD3 6.74.01 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 6.75.02 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
 Python 3.12.3 64-bit final
 MacOS Sonoma 14.4.1 x86_64
@@ -1009,7 +1009,7 @@ writes the credentials into the file oauth2.txt.
 C:\GAMADV-XTD3>del C:\GAMConfig\oauth2.txt
 C:\GAMADV-XTD3>gam version
 WARNING: Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: C:\GAMConfig\oauth2.txt, Not Found
-GAMADV-XTD3 6.74.01 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 6.75.02 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
 Python 3.12.3 64-bit final
 Windows-10-10.0.17134 AMD64
--- a/docs/Reports.md
+++ b/docs/Reports.md
@@ -143,7 +143,8 @@ Get Shared Drives ID and Name
 ```
 gam redirect csv ./SharedDrives.csv print shareddrives fields id,name
 ```
-Options:
+
+Options for the `gam report drive` commands below:
 * `maxactivities 1` - Limits the number of activities displayed for Shared Drives with activity.
 * `shownoactivities` - Displays a row for Shared Drives with no activity.
 * `addcsvdata shared_drive_id "~id"` adds the Shared Drive ID to the output.
--- a/docs/Resources.md
+++ b/docs/Resources.md
@@ -1,6 +1,7 @@
 # Resources
 - [API documentation](#api-documentation)
 - [Definitions](#definitions)
+- [Region Codes](#region-codes)
 - [Special quoting](#special-quoting)
 - [Manage buildings](#manage-buildings)
 - [Display buildings](#display-buildings)
@@ -121,6 +122,252 @@ See [Collections of Items](Collections-of-Items)
        uservisibledescription
 <ResourceFieldNameList> ::= "<ResourceFieldName>(,<ResourceFieldName>)*"
 ```
+
+## Region Codes
+
+| Region | Code |
+|--------|------|
+| Afghanistan | AF |
+| Aland Islands | AX |
+| Albania | AL |
+| Algeria | DZ |
+| American Samoa | AS |
+| Andorra | AD |
+| Angola | AO |
+| Anguilla | AI |
+| Antarctica | AQ |
+| Antigua & Barbuda | AG |
+| Argentina | AR |
+| Armenia | AM |
+| Aruba | AW |
+| Ascension Island | AC |
+| Australia | AU |
+| Austria | AT |
+| Azerbaijan | AZ |
+| Bahamas | BS |
+| Bahrain | BH |
+| Bangladesh | BD |
+| Barbados | BB |
+| Belarus | BY |
+| Belgium | BE |
+| Belize | BZ |
+| Benin | BJ |
+| Bermuda | BM |
+| Bhutan | BT |
+| Bolivia | BO |
+| Bosnia & Herzegovina | BA |
+| Botswana | BW |
+| Bouvet Island | BV |
+| Brazil | BR |
+| British Indian Ocean Territory | IO |
+| British Virgin Islands | VG |
+| Brunei | BN |
+| Bulgaria | BG |
+| Burkina Faso | BF |
+| Burundi | BI |
+| Cambodia | KH |
+| Cameroon | CM |
+| Canada | CA |
+| Canary Islands | IC |
+| Cape Verde | CV |
+| Caribbean Netherlands | BQ |
+| Cayman Islands | KY |
+| Central African Republic | CF |
+| Ceuta & Melilla | EA |
+| Chad | TD |
+| Chile | CL |
+| China | CN |
+| Christmas Island | CX |
+| Clipperton Island | CP |
+| Cocos (Keeling) Islands | CC |
+| Columbia | CO |
+| Comoros | KM |
+| Congo - Brazzaville | CG |
+| Congo - Kinshasa | CD |
+| Cook Islands | CK |
+| Costa Rica | CR |
+| Cote d’Ivoire | CI |
+| Croatia | HR |
+| Cuba | CU |
+| Curacao | CW |
+| Cyprus | CY |
+| Czech Republic | CZ |
+| Falkland Islands | FK |
+| Faroe Islands | FO |
+| Fiji | FJ |
+| Finland | FI |
+| France | FR |
+| Gabon | GA |
+| Gambia | GM |
+| Georgia | GE |
+| Germany | DE |
+| Ghana | GH |
+| Gibraltar | GI |
+| Greece | GR |
+| Greenland | GL |
+| Grenada | GD |
+| Guadeloupe | GP |
+| Guam | GU |
+| Guatemala | GT |
+| Guernsey | GG |
+| Guinea | GN |
+| Guinea-Bissau | GW |
+| Guyana | GY |
+| Haiti | HT |
+| Heard & McDonald Islands | HM |
+| Honduras | HN |
+| Hong Kong SAR China | HK |
+| Hungary | HU |
+| Iceland | IS |
+| India | IN |
+| Indonesia | ID |
+| Iran | IR |
+| Iraq | IQ |
+| Ireland | IE |
+| Isle of Man | IM |
+| Israel | IL |
+| Italy | IT |
+| Jamaica | JM |
+| Japan | JP |
+| Jersey | JE |
+| Jordan | JO |
+| Kazakhstan | KZ |
+| Kenya | KE |
+| Kiribati | KI |
+| Kosovo | XK |
+| Kuwait | KW |
+| Kyrgyzstan | KG |
+| Laos | LA |
+| Latvia | LV |
+| Lebanon | LB |
+| Lesotho | LS |
+| Liberia | LR |
+| Libya | LY |
+| Liechtenstein | LI |
+| Lithuania | LT |
+| Luxembourg | LU |
+| Macau SAR China | MO |
+| Macedonia | MK |
+| Madagascar | MG |
+| Malawi | MW |
+| Malaysia | MY |
+| Maldives | MV |
+| Mali | ML |
+| Malta | MT |
+| Marshall Islands | MH |
+| Martinique | MQ |
+| Mauritania | MR |
+| Mauritius | MU |
+| Mayotte | YT |
+| Mexico | MX |
+| Micronesia | FM |
+| Moldova | MD |
+| Monaco | MC |
+| Mongolia | MN |
+| Montenegro | ME |
+| Montserrat | MS |
+| Morocco | MA |
+| Mozambique | MZ |
+| Myanmar | MM |
+| Namibia | NA |
+| Nauru | NR |
+| Nepal | NP |
+| Netherlands | NL |
+| New Caledonia | NC |
+| New Zealand | NZ |
+| Nicaragua | NI |
+| Niger | NE |
+| Nigeria | NG |
+| Niue | NU |
+| Norfolk Island | NF |
+| North Korea | KP |
+| Northern Mariana Islands | MP |
+| Norway | NO |
+| Oman | OM |
+| Pakistan | PK |
+| Palau | PW |
+| Palestinia Territories | PS |
+| Panama | PA |
+| Papua New Guinea | PG |
+| Paraguay | PY |
+| Peru | PE |
+| Philippines | PH |
+| Pitcairn Islands | PN |
+| Poland | PL |
+| Portugal | PT |
+| Puerto Rico | PR |
+| Qatar | QA |
+| Reunion | RE |
+| Romania | RO |
+| Russia | RU |
+| Rwanda | RW |
+| Samoa | WS |
+| San Marino | SM |
+| Sao Tomm & Principe | ST |
+| Saudi Arabia | SA |
+| Senegal | SN |
+| Serbia | RS |
+| Seychelles | SC |
+| Sierra Leone | SL |
+| Singapore | SG |
+| Sint Maarten | SX |
+| Slovakia | SK |
+| Slovenia | SI |
+| Solomon Islands | SB |
+| Somalia | SO |
+| South Africa | ZA |
+| South Georgia & South Sandwich Islands | GS |
+| South Korea | KR |
+| South Sudan | SS |
+| Spain | ES |
+| Sri Lanka | LK |
+| St. Barthelemy | BL |
+| St. Helena | SH |
+| St. Kitts & Nevis | KN |
+| St. Lucia | LC |
+| St. Martin | MF |
+| St. Pierre & Miquelon | PM |
+| St. Vincent & Grenadines | VC |
+| Sudan | SD |
+| Suriname | SR |
+| Svalbard & Jan Mayen | SJ |
+| Swaziland | SZ |
+| Sweden | SE |
+| Switzerland | CH |
+| Syria | SY |
+| Taiwan | TW |
+| Tajikistan | TJ |
+| Tanzania | TZ |
+| Thailand | TH |
+| Timor-Leste | TL |
+| Togo | TG |
+| Tokelau | TK |
+| Tonga | TO |
+| Trinidad & Tobago | TT |
+| Tristan da Cunha | TA |
+| Tunisia | TN |
+| Turkey | TR |
+| Turkmenistan | TM |
+| Turks & Caicos Islands | TC |
+| Tuvalu | TV |
+| U.S. Outlying Islands | UM |
+| U.S. Virgin Islands | VI |
+| Uganda | UG |
+| Ukraine | UA |
+| United Arab Emirates | AE |
+| United Kingdom | GB |
+| United States | US |
+| Unknown Region | ZZ |
+| Uraguay | UY |
+| Uzbekistan | UZ |
+| Vanuatu | VU |
+| Vatican City | VA |
+| Venezuela | VE |
+| Vietnam | VN |
+| Yemen | YE |
+| Zambia | ZM |
+| Zimbabwe | ZW |
+
 ## Special quoting
 When entering `<FeatureNameList>` with `<FeatureName>s`containing spaces, enclose the list in `"` and the names containing spaces in `'`.
 ```
@@ -133,10 +380,8 @@ When creating a building, at a minimum you must enter `address|addresslines` and

 * Enter a single-line address as `address "123 Main Street"`
 * Enter a multi-line address as `addresslines "123 Main Street\nAnytown, US"`
-
-For `country|regioncode` see: http://www.unicode.org/cldr/charts/30/supplemental/territory_information.html
 ```
-gam create|add building <BuildIngID> <Name> <BuildingAttribute>*
+gam create|add building <Name> <BuildingAttribute>*
 gam update building <BuildIngID> <BuildingAttribute>*
 gam delete building <BuildingID>
 ```
--- a/docs/Version-and-Help.md
+++ b/docs/Version-and-Help.md
@@ -3,7 +3,7 @@
 Print the current version of Gam with details
 ```
 gam version
-GAMADV-XTD3 6.74.01 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 6.75.02 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
 Python 3.12.3 64-bit final
 MacOS Sonoma 14.4.1 x86_64
@@ -15,7 +15,7 @@ Time: 2023-06-02T21:10:00-07:00
 Print the current version of Gam with details and time offset information
 ```
 gam version timeoffset
-GAMADV-XTD3 6.74.01 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 6.75.02 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
 Python 3.12.3 64-bit final
 MacOS Sonoma 14.4.1 x86_64
@@ -27,7 +27,7 @@ Your system time differs from www.googleapis.com by less than 1 second
 Print the current version of Gam with extended details and SSL information
 ```
 gam version extended
-GAMADV-XTD3 6.74.01 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 6.75.02 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
 Python 3.12.3 64-bit final
 MacOS Sonoma 14.4.1 x86_64
@@ -64,7 +64,7 @@ MacOS High Sierra 10.13.6 x86_64
 Path: /Users/Admin/bin/gamadv-xtd3
 Version Check:
  Current: 5.35.08
-   Latest: 6.74.01
+   Latest: 6.75.02
 echo $?
 1
 ```
@@ -72,7 +72,7 @@ echo $?
 Print the current version number without details
 ```
 gam version simple
-6.74.01
+6.75.02
 ```
 In Linux/MacOS you can do:
 ```
@@ -82,7 +82,7 @@ echo $VER
 Print the current version of Gam and address of this Wiki
 ```
 gam help
-GAM 6.74.01 - https://github.com/taers232c/GAMADV-XTD3
+GAM 6.75.02 - https://github.com/taers232c/GAMADV-XTD3
 Ross Scroggs <ross.scroggs@gmail.com>
 Python 3.12.3 64-bit final
 MacOS Sonoma 14.4.1 x86_64
--- a/src/GamCommands.txt
+++ b/src/GamCommands.txt
@@ -1406,6 +1406,13 @@ gam rotate sakey|sakeys retain_none
         yubikey_serialnumber <Number>
         [localkeysize 1024|2048|4096])

+gam upload sakey [admin <EmailAddress>]
+        (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE
+         yubikey_serialnumber <Number>
+         [localkeysize 1024|2048|4096])
+
 gam delete sakeys <ServiceAccountKeyList>+ [doit]
 gam show sakeys [all|system|user]

--- a/src/GamUpdate.txt
+++ b/src/GamUpdate.txt
@@ -2,6 +2,29 @@

 Merged GAM-Team version

+6.75.02
+
+Updated `gam report  <ActivityApplictionName>` to retry/handle the following error:
+```
+ERROR: 503: serviceNotAvailable - The service is currently unavailable.
+```
+
+6.75.01
+
+Added option `admin <EmailAddress>` to  `gam upload sakey`.
+
+6.75.00
+
+Updated `gam create project` to simplify handling the situation where your workspace is configured to disable service account private key uploads.
+
+Added command `gam upload sakey` to aid in this process.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Authorization#upload-a-service-account-key-to-a-service-account-with-no-keys
+
+6.74.02
+
+Fixed bug in `gam <UserTypeEntity> print shareddrives ... formatjson` that caused a trap.
+
 6.74.01

 Updated `gam create|update drivefileacl <DriveFileEntity> ... expiration <Time>` to handle
--- a/src/gam/init.py
+++ b/src/gam/init.py
@@ -10813,7 +10813,7 @@ class Credentials(google.oauth2.credentials.Credentials):
        'client_id': client_id,
        'client_secret': client_secret,
        'redirect_uris': ['http://localhost'],
-        'auth_uri': 'https://accounts.google.com/o/oauth2/v2/auth',
+        'auth_uri': API.GOOGLE_OAUTH2_ENDPOINT,
        'token_uri': API.GOOGLE_OAUTH2_TOKEN_ENDPOINT,
        }
    }
@@ -11251,8 +11251,6 @@ def _createClientSecretsOauth2service(httpObj, login_hint, appInfo, projectInfo,
    return
  if appInfo:
    setGAMProjectConsentScreen(httpObj, projectInfo['projectId'], appInfo)
-  if not _createOauth2serviceJSON(httpObj, projectInfo, svcAcctInfo):
-    return
  console_url = f'https://console.cloud.google.com/apis/credentials/oauthclient?project={projectInfo["projectId"]}&authuser={login_hint}'
  csHttpObj = getHttpObj()
  while True:
@@ -11271,8 +11269,8 @@ def _createClientSecretsOauth2service(httpObj, login_hint, appInfo, projectInfo,
 # Deleted: "redirect_uris": ["http://localhost", "urn:ietf:wg:oauth:2.0:oob"],
  cs_data = f'''{{
    "installed": {{
-        "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
-        "auth_uri": "https://accounts.google.com/o/oauth2/v2/auth",
+        "auth_provider_x509_cert_url": "{API.GOOGLE_AUTH_PROVIDER_X509_CERT_URL}",
+        "auth_uri": "{API.GOOGLE_OAUTH2_ENDPOINT}",
        "client_id": "{client_id}",
        "client_secret": "{client_secret}",
        "created_by": "{login_hint}",
@@ -11284,6 +11282,8 @@ def _createClientSecretsOauth2service(httpObj, login_hint, appInfo, projectInfo,
  sys.stdout.write(Msg.GO_BACK_TO_YOUR_BROWSER_AND_CLICK_OK_TO_CLOSE_THE_OAUTH_CLIENT_POPUP)
  sys.stdout.write(Msg.TRUST_GAM_CLIENT_ID.format(GAM, client_id))
  readStdin('')
+  if not _createOauth2serviceJSON(httpObj, projectInfo, svcAcctInfo):
+    return
  sys.stdout.write(Msg.YOUR_GAM_PROJECT_IS_CREATED_AND_READY_TO_USE)

 def _getProjects(crm, pfilter, returnNF=False):
@@ -12317,8 +12317,8 @@ def _generatePrivateKeyAndPublicCert(projectId, clientEmail, name, key_size, b64

 def _formatOAuth2ServiceData(service_data):
  quotedEmail = quote(service_data.get('client_email', ''))
-  service_data['auth_provider_x509_cert_url'] = 'https://www.googleapis.com/oauth2/v1/certs'
-  service_data['auth_uri'] = 'https://accounts.google.com/o/oauth2/auth'
+  service_data['auth_provider_x509_cert_url'] = API.GOOGLE_AUTH_PROVIDER_X509_CERT_URL
+  service_data['auth_uri'] = API.GOOGLE_OAUTH2_ENDPOINT
  service_data['client_x509_cert_url'] = f'https://www.googleapis.com/robot/v1/metadata/x509/{quotedEmail}'
  service_data['token_uri'] = API.GOOGLE_OAUTH2_TOKEN_ENDPOINT
  service_data['type'] = 'service_account'
@@ -12335,8 +12335,9 @@ def doProcessSvcAcctKeys(mode=None, iam=None, projectId=None, clientEmail=None,
  local_key_size = 2048
  validityHours = 0
  body = {}
-  if iam is None:
-    _, iam = buildGAPIServiceObject(API.IAM, None)
+  if iam is None or mode == 'upload':
+    if iam is None:
+      _, iam = buildGAPIServiceObject(API.IAM, None)
    _getSvcAcctData()
    currentPrivateKeyId, projectId, clientEmail, clientId = _getSvcAcctKeyProjectClientFields()
    # dict() ensures we have a real copy, not pointer
@@ -12413,6 +12414,7 @@ def doProcessSvcAcctKeys(mode=None, iam=None, projectId=None, clientEmail=None,
        result = callGAPI(iam.projects().serviceAccounts().keys(), 'upload',
                          throwReasons=[GAPI.NOT_FOUND, GAPI.BAD_REQUEST, GAPI.PERMISSION_DENIED, GAPI.FAILED_PRECONDITION],
                          name=name, body={'publicKeyData': publicKeyData})
+        newPrivateKeyId = result['name'].rsplit('/', 1)[-1]
        break
      except GAPI.notFound as e:
        if retry == maxRetries:
@@ -12424,10 +12426,19 @@ def doProcessSvcAcctKeys(mode=None, iam=None, projectId=None, clientEmail=None,
          entityActionFailedWarning([Ent.PROJECT, projectId, Ent.SVCACCT, clientEmail], Msg.UPDATE_PROJECT_TO_VIEW_MANAGE_SAKEYS)
          return False
        waitForCompletion(retry)
-      except (GAPI.badRequest, GAPI.failedPrecondition) as e:
+      except GAPI.badRequest as e:
        entityActionFailedWarning([Ent.PROJECT, projectId, Ent.SVCACCT, clientEmail], str(e))
        return False
-    newPrivateKeyId = result['name'].rsplit('/', 1)[-1]
+      except GAPI.failedPrecondition as e:
+        entityActionFailedWarning([Ent.PROJECT, projectId, Ent.SVCACCT, clientEmail], str(e))
+        if 'iam.disableServiceAccountKeyUpload' not in str(e):
+          return False
+        if retry == maxRetries or mode != 'upload':
+          sys.stdout.write(Msg.ENABLE_SERVICE_ACCOUNT_PRIVATE_KEY_UPLOAD.format(projectId))
+          new_data['private_key'] = ''
+          newPrivateKeyId = ''
+          break
+        waitForCompletion(retry)
    new_data['private_key_id'] = newPrivateKeyId
    oauth2service_data = _formatOAuth2ServiceData(new_data)
  else:
@@ -12438,6 +12449,7 @@ def doProcessSvcAcctKeys(mode=None, iam=None, projectId=None, clientEmail=None,
        result = callGAPI(iam.projects().serviceAccounts().keys(), 'create',
                          throwReasons=[GAPI.BAD_REQUEST, GAPI.PERMISSION_DENIED],
                          name=name, body=body)
+        newPrivateKeyId = result['name'].rsplit('/', 1)[-1]
        break
      except GAPI.permissionDenied:
        if retry == maxRetries:
@@ -12447,9 +12459,9 @@ def doProcessSvcAcctKeys(mode=None, iam=None, projectId=None, clientEmail=None,
      except GAPI.badRequest as e:
        entityActionFailedWarning([Ent.PROJECT, projectId, Ent.SVCACCT, clientEmail], str(e))
        return False
-    newPrivateKeyId = result['name'].rsplit('/', 1)[-1]
    oauth2service_data = base64.b64decode(result['privateKeyData']).decode(UTF8)
-  entityActionPerformed([Ent.PROJECT, projectId, Ent.SVCACCT, clientEmail, Ent.SVCACCT_KEY, newPrivateKeyId])
+  if newPrivateKeyId != '':
+    entityActionPerformed([Ent.PROJECT, projectId, Ent.SVCACCT, clientEmail, Ent.SVCACCT_KEY, newPrivateKeyId])
  if GM.Globals[GM.SVCACCT_SCOPES_DEFINED]:
    try:
      GM.Globals[GM.OAUTH2SERVICE_JSON_DATA] = json.loads(oauth2service_data)
@@ -12461,35 +12473,36 @@ def doProcessSvcAcctKeys(mode=None, iam=None, projectId=None, clientEmail=None,
  Act.Set(Act.UPDATE)
  entityActionPerformed([Ent.OAUTH2SERVICE_JSON_FILE, GC.Values[GC.OAUTH2SERVICE_JSON],
                         Ent.SVCACCT_KEY, newPrivateKeyId])
-  if mode != 'retainexisting':
-    Act.Set(Act.REVOKE)
-    count = len(keys) if mode == 'retainnone' else 1
-    entityPerformActionNumItems([Ent.PROJECT, projectId, Ent.SVCACCT, clientEmail], count, Ent.SVCACCT_KEY)
-    Ind.Increment()
-    i = 0
-    for key in keys:
-      keyName = key['name'].rsplit('/', 1)[-1]
-      if mode == 'retainnone' or keyName == currentPrivateKeyId and keyName != newPrivateKeyId:
-        i += 1
-        maxRetries = 5
-        for retry in range(1, maxRetries+1):
-          try:
-            callGAPI(iam.projects().serviceAccounts().keys(), 'delete',
-                     throwReasons=[GAPI.BAD_REQUEST, GAPI.PERMISSION_DENIED],
-                     name=key['name'])
-            entityActionPerformed([Ent.SVCACCT_KEY, keyName], i, count)
-            break
-          except GAPI.permissionDenied:
-            if retry == maxRetries:
-              entityActionFailedWarning([Ent.SVCACCT_KEY, keyName], Msg.UPDATE_PROJECT_TO_VIEW_MANAGE_SAKEYS)
-              break
-            waitForCompletion(retry)
-          except GAPI.badRequest as e:
-            entityActionFailedWarning([Ent.SVCACCT_KEY, keyName], str(e), i, count)
-            break
-        if mode != 'retainnone':
+  if mode in {'retainexisting', 'upload'}:
+    return newPrivateKeyId != ''
+  Act.Set(Act.REVOKE)
+  count = len(keys) if mode == 'retainnone' else 1
+  entityPerformActionNumItems([Ent.PROJECT, projectId, Ent.SVCACCT, clientEmail], count, Ent.SVCACCT_KEY)
+  Ind.Increment()
+  i = 0
+  for key in keys:
+    keyName = key['name'].rsplit('/', 1)[-1]
+    if mode == 'retainnone' or keyName == currentPrivateKeyId and keyName != newPrivateKeyId:
+      i += 1
+      maxRetries = 5
+      for retry in range(1, maxRetries+1):
+        try:
+          callGAPI(iam.projects().serviceAccounts().keys(), 'delete',
+                   throwReasons=[GAPI.BAD_REQUEST, GAPI.PERMISSION_DENIED],
+                   name=key['name'])
+          entityActionPerformed([Ent.SVCACCT_KEY, keyName], i, count)
          break
-    Ind.Decrement()
+        except GAPI.permissionDenied:
+          if retry == maxRetries:
+            entityActionFailedWarning([Ent.SVCACCT_KEY, keyName], Msg.UPDATE_PROJECT_TO_VIEW_MANAGE_SAKEYS)
+            break
+          waitForCompletion(retry)
+        except GAPI.badRequest as e:
+          entityActionFailedWarning([Ent.SVCACCT_KEY, keyName], str(e), i, count)
+          break
+      if mode != 'retainnone':
+        break
+  Ind.Decrement()
  return True

 # gam create sakey|sakeys
@@ -12524,6 +12537,21 @@ def doUpdateSvcAcctKeys():
 def doReplaceSvcAcctKeys():
  doProcessSvcAcctKeys(mode='retainnone')

+# gam upload sakey|sakeys [admin <EmailAddress>]
+#	(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+#	((localkeysize 1024|2048|4096 [validityhours <Number>])|
+#	(yubikey yubikey_pin yubikey_slot AUTHENTICATION
+#	 yubikey_serialnumber <String>
+#	 [localkeysize 1024|2048|4096])
+def doUploadSvcAcctKeys():
+  login_hint = getEmailAddress(noUid=True) if checkArgumentPresent(['admin']) else None
+  httpObj, _ = getCRMService(login_hint)
+  iam = getAPIService(API.IAM, httpObj)
+  if doProcessSvcAcctKeys(mode='upload', iam=iam):
+    sa_email = GM.Globals[GM.OAUTH2SERVICE_JSON_DATA]['client_email']
+    _grantRotateRights(iam, GM.Globals[GM.OAUTH2SERVICE_JSON_DATA]['project_id'], sa_email, sa_email)
+    sys.stdout.write(Msg.YOUR_GAM_PROJECT_IS_CREATED_AND_READY_TO_USE)
+
 # gam delete sakeys <ServiceAccountKeyList>
 def doDeleteSvcAcctKeys():
  _, iam = buildGAPIServiceObject(API.IAM, None)
@@ -13853,7 +13881,8 @@ def doReport():
        try:
          feed = callGAPIpages(service, 'list', 'items',
                               pageMessage=pageMessage, maxItems=maxActivities,
-                               throwReasons=[GAPI.BAD_REQUEST, GAPI.INVALID, GAPI.INVALID_INPUT, GAPI.AUTH_ERROR],
+                               throwReasons=[GAPI.BAD_REQUEST, GAPI.INVALID, GAPI.INVALID_INPUT, GAPI.AUTH_ERROR, GAPI.SERVICE_NOT_AVAILABLE],
+                               retryReasons=GAPI.SERVICE_NOT_AVAILABLE_RETRY_REASONS,
                               applicationName=report, userKey=user, customerId=customerId,
                               actorIpAddress=actorIpAddress, orgUnitID=orgUnitId,
                               startTime=startEndTime.startTime, endTime=startEndTime.endTime,
@@ -13865,7 +13894,7 @@ def doReport():
            continue
          printErrorMessage(BAD_REQUEST_RC, Msg.BAD_REQUEST)
          break
-        except (GAPI.invalid, GAPI.invalidInput) as e:
+        except (GAPI.invalid, GAPI.invalidInput, GAPI.serviceNotAvailable) as e:
          systemErrorExit(GOOGLE_API_ERROR_RC, str(e))
        except GAPI.authError:
          accessErrorExit(None)
@@ -62959,6 +62988,9 @@ def printShowSharedDrives(users, useDomainAdminAccess=False):
    if fieldsList:
      showFields.add('role')
    csvPF.AddTitle('role')
+    if FJQC.formatJSON:
+      csvPF.AddJSONTitles(['role'])
+      csvPF.MoveJSONTitlesToEnd(['JSON'])
  if showOrgUnitPaths and useDomainAdminAccess and ((not showFields) or ('orgUnitId' in showFields)):
    orgUnitIdToPathMap = getOrgUnitIdToPathMap(cd)
    if showFields:
@@ -73212,6 +73244,11 @@ MAIN_COMMANDS_WITH_OBJECTS = {
      Cmd.ARG_USERS:		doSuspendUnsuspendUsers,
     }
    ),
+  'upload':
+    (Act.USE,
+     {Cmd.ARG_SAKEY:		doUploadSvcAcctKeys,
+     }
+    ),
  'use':
    (Act.USE,
     {Cmd.ARG_PROJECT:		doUseProject,
--- a/src/gam/gamlib/glapi.py
+++ b/src/gam/gamlib/glapi.py
@@ -95,7 +95,9 @@ YOUTUBE = 'youtube'
 CHROMEVERSIONHISTORY_URL = 'https://versionhistory.googleapis.com/v1/chrome/platforms'
 DRIVE_SCOPE = 'https://www.googleapis.com/auth/drive'
 GMAIL_SEND_SCOPE = 'https://www.googleapis.com/auth/gmail.send'
-GOOGLE_OAUTH2_TOKEN_ENDPOINT = "https://oauth2.googleapis.com/token"
+GOOGLE_AUTH_PROVIDER_X509_CERT_URL = 'https://www.googleapis.com/oauth2/v1/certs'
+GOOGLE_OAUTH2_ENDPOINT = 'https://accounts.google.com/o/oauth2/v2/auth'
+GOOGLE_OAUTH2_TOKEN_ENDPOINT = 'https://oauth2.googleapis.com/token'
 CLOUD_PLATFORM_SCOPE = 'https://www.googleapis.com/auth/cloud-platform'
 IAM_SCOPE = 'https://www.googleapis.com/auth/iam'
 PEOPLE_SCOPE = 'https://www.googleapis.com/auth/contacts'
--- a/src/gam/gamlib/glmsgs.py
+++ b/src/gam/gamlib/glmsgs.py
@@ -91,7 +91,21 @@ Please go to:
 8. Press enter here on the terminal once trust is complete.
 '''

-YOUR_GAM_PROJECT_IS_CREATED_AND_READY_TO_USE = 'That\'s it! Your GAM Project is created and ready to use.\n'
+ENABLE_SERVICE_ACCOUNT_PRIVATE_KEY_UPLOAD = '''
+Your workspace is configured to disable service account private key uploads.
+
+Please go to:
+
+  https://github.com/taers232c/GAMADV-XTD3/wiki/Authorization#authorize-service-account-key-uploads
+
+Follow the steps to allow a service account private key upload for the project ({0}) just created.
+Once those steps are completed, you can continue with your project authentication.
+'''
+
+YOUR_GAM_PROJECT_IS_CREATED_AND_READY_TO_USE = '''
+That\'s it! Your GAM Project is created and ready to use.
+Proceed to the authentication steps.
+'''

 # check|update service messages in order of appearance
 SYSTEM_TIME_STATUS = 'System time status'
Author	SHA1	Message	Date
Ross Scroggs	42d33786a1	Updated `gam report <ActivityApplictionName>` to retry/handle the following error: ERROR: 503: serviceNotAvailable - The service is currently unavailable.	2024-05-01 13:33:13 -07:00
Ross Scroggs	683435cfb8	Added option `admin <EmailAddress>` to `gam upload sakey`.	2024-04-26 09:16:22 -07:00
Ross Scroggs	6b8170dd2f	Improved code in `gam upload sakey`.	2024-04-26 08:33:50 -07:00
Ross Scroggs	941fe97785	Updated `gam create project` to simplify handling the situation when your workspace is configured to disable service account private key uploads.	2024-04-25 22:23:16 -07:00
Ross Scroggs	f87e013ec4	Fixed bug in `gam <UserTypeEntity> print shareddrives ... formatjson` that caused a trap.	2024-04-25 08:46:14 -07:00