enable manual pypi runs

remove unknown classifier
3.7.8, fix yubikey optional for pip package
2026-06-16 20:21:37 +00:00 · 2025-02-08 19:50:00 +00:00 · 2025-02-08 19:46:32 +00:00 · 2025-02-08 19:43:17 +00:00 · 2025-02-08 09:38:37 -08:00 · 2025-02-07 14:09:24 -08:00
11 changed files with 471 additions and 141 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -17,7 +17,7 @@ defaults:
    working-directory: src

 env:
-  SCRATCH_COUNTER: 6
+  SCRATCH_COUNTER: 9
  OPENSSL_CONFIG_OPTS: no-fips --api=3.0.0
  OPENSSL_INSTALL_PATH: ${{ github.workspace }}/bin/ssl
  OPENSSL_SOURCE_PATH: ${{ github.workspace }}/src/openssl
@@ -129,7 +129,7 @@ jobs:
        with:
          path: |
            cache.tar.xz
-          key: gam-${{ matrix.jid }}-20250116
+          key: gam-${{ matrix.jid }}-20250204

      - name: Untar Cache archive
        if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit == 'true'
@@ -1005,7 +1005,7 @@ jobs:

  merge:
    if: (github.event_name == 'push' || github.event_name == 'schedule')
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
    needs: build
    permissions:
      contents: write
@@ -1019,7 +1019,7 @@ jobs:

  publish:
    if: github.event_name == 'push'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
    needs: merge
    permissions:
      contents: write
--- a/.github/workflows/pypi.yml
+++ b/.github/workflows/pypi.yml
@@ -0,0 +1,33 @@
+name: build and publish releases to PyPi
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+  workflow_dispatch:
+
+jobs:
+  pypi:
+    name: Upload release to PyPI
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/gam7
+    permissions:
+      id-token: write
+    steps:
+
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Install required packages to publish
+        run: |
+          python3 -m pip install --upgrade build
+
+      - name: Build packages
+        run: |
+          python -m build
+
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -0,0 +1,63 @@
+[project]
+name = "gam7"
+dynamic = [
+    "version",
+]
+authors = [
+    { name="Jay Lee", email="jay0lee@gmail.com" },
+    { name="Ross Scroggs", email="Ross.Scroggs@gmail.com" },
+]
+dependencies = [
+    "chardet",
+    "cryptography",
+    "distro; sys_platform=='linux'",
+    "filelock",
+    "google-api-python-client>=2.1",
+    "google-auth-httplib2",
+    "google-auth-oauthlib>=0.4.1",
+    "google-auth>=2.3.2",
+    "httplib2>=0.17.0",
+    "lxml",
+    "passlib>=1.7.2",
+    "pathvalidate",
+    "python-dateutil",
+]
+description = "CLI tool to manage Google Workspace"
+readme = "README.md"
+requires-python = ">=3.9"
+classifiers = [
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3 :: Only",
+    "Programming Language :: Python :: 3.9",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Operating System :: OS Independent",
+]
+license = {text = "Apache License (2.0)"}
+license-files = ["LICEN[CS]E*"]
+
+[project.optional-dependencies]
+yubikey = ["yubikey-manager>=5.0"]
+
+[project.scripts]
+gam = "gam.__main__:main"
+
+[project.urls]
+Homepage = "https://github.com/GAM-team/GAM"
+Issues = "https://github.com/GAM-team/GAM/issues"
+Discussion = "https://groups.google.com/group/google-apps-manager"
+Chat = "https://git.io/gam-chat"
+
+[tool.hatch.version]
+path = "src/gam/__init__.py"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/gam"]
+
+[build-system]
+requires = [
+    "hatchling",
+]
+build-backend = "hatchling.build"
--- a/src/GamCommands.txt
+++ b/src/GamCommands.txt
@@ -1362,6 +1362,7 @@ gam create project [admin <EmailAddress>] [project <ProjectID>]
         nokey]
 gam use project [<EmailAddress>] [<ProjectID>]
 gam use project [admin <EmailAddress>] [project <ProjectID>]
+        [appname <String>] [supportemail <EmailAddress>]
        [saname <ServiceAccountName>] [sadisplayname <ServiceAccountDisplayName>]
        [sadescription <ServiceAccountDescription>]
        [(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
@@ -2089,19 +2090,25 @@ gam move browsers ou|org|orgunit <OrgUnitPath>
        [batchsize <Integer>]

 gam info browser <DeviceID>
-        [basic|full|annotated] <BrowserFieldName>* [fields <BrowserFieldNameList>]
+        (basic|full|annotated | 
+         (<BrowserFieldName>* [fields <BrowserFieldNameList>]) |
+         (rawfields "<BrowserFieldNameList>"))
        [formatjson]
 gam show browsers
        ([ou|org|orgunit|browserou <OrgUnitPath>] [(query <QueryBrowser>)|(queries <QueryBrowserList>))|(select <BrowserEntity>))
        [querytime<String> <Time>]
        [orderby <BrowserOrderByFieldName> [ascending|descending]]
-        [basic|full|allfields|annotated] <BrowserFieldName>* [fields <BrowserFieldNameList>]
+        (basic|full|annotated | 
+         (<BrowserFieldName>* [fields <BrowserFieldNameList>]) |
+         (rawfields "<BrowserFieldNameList>"))
        [formatjson]
 gam print browsers [todrive <ToDriveAttribute>*]
        ([ou|org|orgunit|browserou <OrgUnitPath>] [(query <QueryBrowser>)|(queries <QueryBrowserList>))|(select <BrowserEntity>))
        [querytime<String> <Time>]
        [orderby <BrowserOrderByFieldName> [ascending|descending]]
-        [basic|full|allfields|annotated] <BrowserFieldName>* [fields <BrowserFieldNameList>]
+        (basic|full|annotated | 
+         (<BrowserFieldName>* [fields <BrowserFieldNameList>]) |
+         (rawfields "<BrowserFieldNameList>"))
        [sortheaders]
        [formatjson [quotechar <Character>]]

@@ -3926,8 +3933,11 @@ gam print group-members [todrive <ToDriveAttribute>*]
        updatetime
 <CIGroupFieldNameList> ::= "<CIGroupFieldName>(,<CIGroupFieldName>)*"

-gam create cigroup <EmailAddress> [copyfrom <GroupItem>] <GroupAttribute>*
-        [makeowner] [alias|aliases <CIGroupAliasList>] [dynamic <QueryDynamicGroup>]
+gam create cigroup <EmailAddress>
+        [copyfrom <GroupItem>] <GroupAttribute>*
+        [makeowner] [alias|aliases <CIGroupAliasList>]
+        [security|makesecuritygroup]
+        [dynamic <QueryDynamicGroup>]
 gam update cigroup <GroupEntity> [copyfrom <GroupItem>] <GroupAttribute>
        [security|makesecuritygroup|
         dynamicsecurity|makedynamicsecuritygroup|
@@ -4451,7 +4461,7 @@ gam report <ActivityApplicationName> [todrive <ToDriveAttribute>*]
        [event|events <EventNameList>] [ip <String>]
        [groupidfilter <String>]
        [maxactivities <Number>] [maxevents <Number>] [maxresults <Number>]
-        [countsonly [summary] [eventrowfilter]]
+        [countsonly [bydate|summary] [eventrowfilter]]
        (addcsvdata <FieldName> <String>)* [shownoactivities]

 <CustomerServiceName> ::=
@@ -4514,7 +4524,7 @@ gam report users|user [todrive <ToDriveAttribute>*]
        (country|countrycode <String>)

 gam create|add resoldcustomer <CustomerDomain> (customer_auth_token <String>) <ResoldCustomerAttribute>+
-gam update resoldcustomer <CustomerID> [customer_auth_token <String>] <ResoldCustomerAttribues>+
+gam update resoldcustomer <CustomerID> <ResoldCustomerAttribues>+
 gam info resoldcustomer <CustomerID> [formatjson]

 gam create|add resoldsubscription <CustomerID> (sku <SKUID>)
@@ -5260,7 +5270,7 @@ gam print vaultcounts [todrive <ToDriveAttributes>*]
 gam print vaultcounts [todrive <ToDriveAttributes>*]
        matter <MatterItem> operation <String> [wait <Integer>]

-gam create vaultexport|export matter <MatterItem> [name <String>] corpus calendar|drive|mail|groups|hangouts_chat|voice
+gam create vaultexport|export matter <MatterItem> [name <String>] corpus calendar|drive|gemini|groups|hangouts_chat|mail|voice
        (accounts <EmailAddressEntity>) | (orgunit|org|ou <OrgUnitPath>) | everyone
        (shareddrives|teamdrives <SharedDriveIDList>) | (rooms <RoomList>) | (sitesurl <URLList>)
        [scope all_data|held_data|unprocessed_data]
@@ -5268,10 +5278,12 @@ gam create vaultexport|export matter <MatterItem> [name <String>] corpus calenda
        [locationquery <StringList>] [peoplequery <StringList>] [minuswords <StringList>]
        [responsestatuses <AttendeeStatus>(,<AttendeeStatus>)*] [calendarversiondate <Date>|<Time>]
        [includeshareddrives <Boolean>] [driveversiondate <Date>|<Time>] [includeaccessinfo <Boolean>]
+        [driveclientsideencryption any|encrypted|unencrypted]
        [includerooms <Boolean>]
-        [excludedrafts <Boolean>] [format mbox|pst]
+        [excludedrafts <Boolean>] [mailclientsideencryption any|encrypted|unencrypted]
        [showconfidentialmodecontent <Boolean>] [usenewexport <Boolean>] [exportlinkeddrivefiles <Boolean>]
        [covereddata calllogs|textmessages|voicemails]
+        [format ics|mbox|pst|xml]
        [region any|europe|us] [showdetails|returnidonly]
 gam delete vaultexport|export <ExportItem> matter <MatterItem>
 gam delete vaultexport|export <MatterItem> <ExportItem>
@@ -6575,6 +6587,8 @@ gam <UserTypeEntity> copy drivefile <DriveFileEntity>
        [copysubfolderpermissions [<Boolean>]]
        [copysubfolderinheritedpermissions [<Boolean>]]
        [copysubfoldernoniheritedpermissions never|always|syncallfolders|syncupdatedfolders]
+        [copypermissionroles <DriveFileACLRoleList>]
+        [copypermissiontypes <DriveFileACLTypeList>]
        [excludepermissionsfromdomains|includepermissionsfromdomains <DomainNameList>]
        (mappermissionsdomain <DomainName> <DomainName>)*
        [copysheetprotectedranges [<Boolean>]]
--- a/src/GamUpdate.txt
+++ b/src/GamUpdate.txt
@@ -1,3 +1,70 @@
+7.03.07
+
+Updated `gam create vaultexport` to include `corpus gemini`.
+
+* See: https://workspaceupdates.googleblog.com/2025/02/google-vault-now-supports-gemini.html
+
+7.03.06
+
+Added option `rawfields "<BrowserFieldNameList>"` to `gam info|print|show browsers` that allows
+specification of complex field lists with selected subfields.
+
+* See: https://github.com/GAM-team/GAM/wiki/Chrome-Browser-Cloud-Management#raw-fields
+
+7.03.05
+
+Make GAM pip-installable: "pip install gam7"
+
+7.03.04
+
+Added option `security` to `gam create cigroup` that allows creation of a security group
+in a single command.
+
+Updated to Python 3.13.2.
+
+7.03.03
+
+Fixed bug in `gam update resoldcustomer` that caused the following error:
+```
+ERROR: Got an unexpected keyword argument customerAuthToken
+```
+
+7.03.02
+
+Updated `gam <UserTypeEntity> show labels nested` to properly display label nesting
+when labels have embedded `/` characters in their names.
+
+7.03.01
+
+Updated `gam create project` to retry the following unexpected error:
+```
+ERROR: 400 - invalidArgument - Service account gam-project-a1b2c@gam-project-a1b2c.iam.gserviceaccount.com does not exist.
+```
+
+7.03.00
+
+Updated `gam create|use project` to discontinue use of the `Identity-Aware Proxy (IAP) OAuth Admin APIs`
+that are being deprecated by Google. You will see a set of instructions detailing how to
+configure the Oauth Consent screen and create the Oauth client.
+
+Added options `copypermissionroles <DriveFileACLRoleList>` and `copypermissiontypes <DriveFileACLTypeList>`
+to `gam <UserTypeEntity> copy drivefile` that provide more control over what permissions are copied
+from the source files/folders to the destination files/folders.
+
+7.02.11
+
+Updated `gam report <ActivityApplicationName>` to display `id:<actor.profileId>` in the `emailAddress` column
+when `actor.email` is empty. This typically occurs when the actor is not in your workspace.
+
+Updated `gam <UserTypeEntity> copy drivefile` to ignore ACLs referencing deleted user/groups.
+
+7.02.10
+
+Added option `bydate` to `gam report <ActivityApplicationName> ... countsonly` that provides an additional display option.
+* `countsonly` - Display a row per user across all dates with all event counts on one row
+* `countsonly bydate` - Display a row per user per date for all dates with any events with all events counts on the row
+* `countsonly summary` - Display a row per event with counts for each event summarized across users and dates
+
 7.02.09

 Added option `clearresources` to `<EventUpdateAttribute>` for use in `gam <UserTypeEntity> update events`
--- a/src/gam-install.sh
+++ b/src/gam-install.sh
@@ -112,6 +112,12 @@ else
  check_type="authenticated"
  curl_opts=( "$GHCLIENT" )
 fi
+curl_ver=$(curl --version|head -1|cut -d " " -f 2)
+if [[ "${curl_ver:0:4}" < "7.76" ]]; then
+  curl_fail=( )
+else
+  curl_fail=( "--fail-with-body" )
+fi
 echo_yellow "Checking GitHub URL $release_url for $gamversion GAM release ($check_type)..."
 release_json=$(curl \
 	--silent \
@@ -119,7 +125,7 @@ release_json=$(curl \
 	-H "Accept: application/vnd.github+json" \
 	-H "X-GitHub-Api-Version: 2022-11-28" \
 	"$release_url" \
-	--fail-with-body)
+	"${curl_fail[@]}")
 curl_exit_code=$?
 if [ $curl_exit_code -ne 0 ]; then
  echo_red "ERROR retrieving URL: ${release_json}"
--- a/src/gam/init.py
+++ b/src/gam/init.py
@@ -25,7 +25,7 @@ https://github.com/GAM-team/GAM/wiki
 """

 __author__ = 'GAM Team <google-apps-manager@googlegroups.com>'
-__version__ = '7.02.09'
+__version__ = '7.03.08'
 __license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'

 #pylint: disable=wrong-import-position
@@ -4727,7 +4727,7 @@ def clearServiceCache(service):

 DISCOVERY_URIS = [googleapiclient.discovery.V1_DISCOVERY_URI, googleapiclient.discovery.V2_DISCOVERY_URI]

-# Used for API.CLOUDRESOURCEMANAGER, API.SERVICEUSAGE, API.IAM, API.IAP
+# Used for API.CLOUDRESOURCEMANAGER, API.SERVICEUSAGE, API.IAM
 def getAPIService(api, httpObj):
  api, version, v2discovery = API.getVersion(api)
  return googleapiclient.discovery.build(api, version, http=httpObj, cache_discovery=False,
@@ -7356,6 +7356,12 @@ def addFieldToFieldsList(fieldName, fieldsChoiceMap, fieldsList):
 def _getFieldsList():
  return getString(Cmd.OB_FIELD_NAME_LIST).lower().replace('_', '').replace(',', ' ').split()

+def _getRawFields(requiredField=None):
+  rawFields = getString(Cmd.OB_FIELDS)
+  if requiredField is None or requiredField in rawFields:
+    return rawFields
+  return f'{requiredField},{rawFields}'
+
 def _addInitialField(fieldsList, initialField):
  if isinstance(initialField, list):
    fieldsList.extend(initialField)
@@ -11361,13 +11367,32 @@ def doEnableAPIs():
      url = f'https://console.cloud.google.com/apis/enableflow?apiid={apiid}&project={projectId}'
      writeStdout(f'    {url}\n\n')

+def _waitForSvcAcctCompletion(i):
+  sleep_time = i*5
+  if i > 3:
+    sys.stdout.write(Msg.WAITING_FOR_ITEM_CREATION_TO_COMPLETE_SLEEPING.format(Ent.Singular(Ent.SVCACCT), sleep_time))
+  time.sleep(sleep_time)
+
 def _grantRotateRights(iam, projectId, service_account, email, account_type='serviceAccount'):
-  printEntityMessage([Ent.PROJECT, projectId, Ent.SVCACCT, email],
-                     Msg.HAS_RIGHTS_TO_ROTATE_OWN_PRIVATE_KEY.format(email, service_account))
  body = {'policy': {'bindings': [{'role': 'roles/iam.serviceAccountKeyAdmin',
                                   'members': [f'{account_type}:{email}']}]}}
-  callGAPI(iam.projects().serviceAccounts(), 'setIamPolicy',
-           resource=f'projects/{projectId}/serviceAccounts/{service_account}', body=body)
+  maxRetries = 10
+  printEntityMessage([Ent.PROJECT, projectId, Ent.SVCACCT, email],
+                     Msg.HAS_RIGHTS_TO_ROTATE_OWN_PRIVATE_KEY.format(email, service_account))
+  for retry in range(1, maxRetries+1):
+    try:
+      callGAPI(iam.projects().serviceAccounts(), 'setIamPolicy',
+               throwReasons=[GAPI.INVALID_ARGUMENT],
+               resource=f'projects/{projectId}/serviceAccounts/{service_account}', body=body)
+      return True
+    except GAPI.invalidArgument as e:
+      entityActionFailedWarning([Ent.PROJECT, projectId, Ent.SVCACCT, service_account], str(e))
+      if 'does not exist' not in str(e) or retry == maxRetries:
+        return False
+      _waitForSvcAcctCompletion(retry)
+    except Exception as e:
+      entityActionFailedWarning([Ent.PROJECT, projectId, Ent.SVCACCT, service_account], str(e))
+      return False

 def _createOauth2serviceJSON(httpObj, projectInfo, svcAcctInfo, create_key=True):
  iam = getAPIService(API.IAM, httpObj)
@@ -11392,24 +11417,12 @@ def _createOauth2serviceJSON(httpObj, projectInfo, svcAcctInfo, create_key=True)
                                             clientId=service_account['uniqueId']):
    return False
  sa_email = service_account['name'].rsplit('/', 1)[-1]
-  _grantRotateRights(iam, projectInfo['projectId'], sa_email, sa_email)
-  return True
-
-def setGAMProjectConsentScreen(httpObj, projectId, appInfo):
-  sys.stdout.write(Msg.SETTING_GAM_PROJECT_CONSENT_SCREEN)
-  iap = getAPIService(API.IAP, httpObj)
-  try:
-    callGAPI(iap.projects().brands(), 'create',
-             throwReasons=[GAPI.ALREADY_EXISTS, GAPI.INVALID_ARGUMENT],
-             parent=f'projects/{projectId}', body=appInfo)
-  except (GAPI.invalidArgument, GAPI.alreadyExists):
-    pass
+  return _grantRotateRights(iam, projectInfo['projectId'], sa_email, sa_email)

 def _createClientSecretsOauth2service(httpObj, login_hint, appInfo, projectInfo, svcAcctInfo, create_key=True):
  def _checkClientAndSecret(csHttpObj, client_id, client_secret):
    post_data = {'client_id': client_id, 'client_secret': client_secret,
                 'code': 'ThisIsAnInvalidCodeOnlyBeingUsedToTestIfClientAndSecretAreValid',
-#                 'redirect_uri': 'urn:ietf:wg:oauth:2.0:oob', 'grant_type': 'authorization_code'}
                 'redirect_uri': 'http://127.0.0.1:8080', 'grant_type': 'authorization_code'}
    _, content = csHttpObj.request(API.GOOGLE_OAUTH2_TOKEN_ENDPOINT, 'POST', urlencode(post_data),
                                   headers={'Content-type': 'application/x-www-form-urlencoded'})
@@ -11434,16 +11447,14 @@ def _createClientSecretsOauth2service(httpObj, login_hint, appInfo, projectInfo,

  if not enableGAMProjectAPIs(httpObj, projectInfo['projectId'], login_hint, False):
    return
-  if appInfo:
-    setGAMProjectConsentScreen(httpObj, projectInfo['projectId'], appInfo)
-  console_url = f'https://console.cloud.google.com/apis/credentials/oauthclient?project={projectInfo["projectId"]}&authuser={login_hint}'
+  sys.stdout.write(Msg.SETTING_GAM_PROJECT_CONSENT_SCREEN_CREATING_CLIENT)
+  console_url = f'https://console.cloud.google.com/auth/clients?project={projectInfo["projectId"]}&authuser={login_hint}'
  csHttpObj = getHttpObj()
  while True:
-    sys.stdout.write(Msg.CREATE_PROJECT_INSTRUCTIONS.format(console_url))
+    sys.stdout.write(Msg.CREATE_CLIENT_INSTRUCTIONS.format(console_url, appInfo['applicationTitle'], appInfo['supportEmail']))
    client_id = readStdin(Msg.ENTER_YOUR_CLIENT_ID).strip()
    if not client_id:
      client_id = readStdin('').strip()
-    sys.stdout.write(Msg.GO_BACK_TO_YOUR_BROWSER_AND_COPY_YOUR_CLIENT_SECRET_VALUE)
    client_secret = readStdin(Msg.ENTER_YOUR_CLIENT_SECRET).strip()
    if not client_secret:
      client_secret = readStdin('').strip()
@@ -11451,7 +11462,6 @@ def _createClientSecretsOauth2service(httpObj, login_hint, appInfo, projectInfo,
    if client_valid:
      break
    sys.stdout.write('\n')
-# Deleted: "redirect_uris": ["http://localhost", "urn:ietf:wg:oauth:2.0:oob"],
  cs_data = f'''{{
    "installed": {{
        "auth_provider_x509_cert_url": "{API.GOOGLE_AUTH_PROVIDER_X509_CERT_URL}",
@@ -11464,7 +11474,6 @@ def _createClientSecretsOauth2service(httpObj, login_hint, appInfo, projectInfo,
    }}
 }}'''
  writeFile(GC.Values[GC.CLIENT_SECRETS_JSON], cs_data, continueOnError=False)
-  sys.stdout.write(Msg.GO_BACK_TO_YOUR_BROWSER_AND_CLICK_OK_TO_CLOSE_THE_OAUTH_CLIENT_POPUP)
  sys.stdout.write(Msg.TRUST_GAM_CLIENT_ID.format(GAM, client_id))
  readStdin('')
  if not _createOauth2serviceJSON(httpObj, projectInfo, svcAcctInfo, create_key):
@@ -11590,7 +11599,7 @@ def _getLoginHintProjectInfo(createCmd):
        _checkProjectName(projectInfo['name'])
      elif _getSvcAcctInfo(myarg, svcAcctInfo):
        pass
-      elif createCmd and _getAppInfo(myarg, appInfo):
+      elif _getAppInfo(myarg, appInfo):
        pass
      elif myarg in {'algorithm', 'localkeysize', 'validityhours', 'yubikey'}:
        Cmd.Backup()
@@ -11874,14 +11883,15 @@ def doCreateProject():

 # gam use project [<EmailAddress>] [<ProjectID>]
 # gam use project [admin <EmailAddress>] [project <ProjectID>]
+#	[appname <String>] [supportemail <EmailAddress>]
 #	[saname <ServiceAccountName>] [sadisplayname <ServiceAccountDisplayName>] [sadescription <ServiceAccountDescription>]
 #	[(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
 #	 (localkeysize 1024|2048|4096 [validityhours <Number>])|
 #	 (yubikey yubikey_pin yubikey_slot AUTHENTICATION yubikey_serialnumber <String>)]
 def doUseProject():
  _checkForExistingProjectFiles([GC.Values[GC.OAUTH2SERVICE_JSON], GC.Values[GC.CLIENT_SECRETS_JSON]])
-  _, httpObj, login_hint, _, projectInfo, svcAcctInfo, create_key = _getLoginHintProjectInfo(False)
-  _createClientSecretsOauth2service(httpObj, login_hint, {}, projectInfo, svcAcctInfo, create_key)
+  _, httpObj, login_hint, appInfo, projectInfo, svcAcctInfo, create_key = _getLoginHintProjectInfo(False)
+  _createClientSecretsOauth2service(httpObj, login_hint, appInfo, projectInfo, svcAcctInfo, create_key)

 # gam update project [[admin] <EmailAddress>] [<ProjectIDEntity>]
 def doUpdateProject():
@@ -12577,12 +12587,6 @@ def doProcessSvcAcctKeys(mode=None, iam=None, projectId=None, clientEmail=None,
      else:
        unknownArgumentExit()

-  def waitForCompletion(i):
-    sleep_time = i*5
-    if i > 3:
-      sys.stdout.write(Msg.WAITING_FOR_ITEM_CREATION_TO_COMPLETE_SLEEPING.format(Ent.Singular(Ent.SVCACCT), sleep_time))
-    time.sleep(sleep_time)
-
  local_key_size = 2048
  validityHours = 0
  body = {}
@@ -12652,12 +12656,12 @@ def doProcessSvcAcctKeys(mode=None, iam=None, projectId=None, clientEmail=None,
        if retry == maxRetries:
          entityActionFailedWarning([Ent.PROJECT, projectId, Ent.SVCACCT, clientEmail], str(e))
          return False
-        waitForCompletion(retry)
+        _waitForSvcAcctCompletion(retry)
      except GAPI.permissionDenied:
        if retry == maxRetries:
          entityActionFailedWarning([Ent.PROJECT, projectId, Ent.SVCACCT, clientEmail], Msg.UPDATE_PROJECT_TO_VIEW_MANAGE_SAKEYS)
          return False
-        waitForCompletion(retry)
+        _waitForSvcAcctCompletion(retry)
      except GAPI.badRequest as e:
        entityActionFailedWarning([Ent.PROJECT, projectId, Ent.SVCACCT, clientEmail], str(e))
        return False
@@ -12670,7 +12674,7 @@ def doProcessSvcAcctKeys(mode=None, iam=None, projectId=None, clientEmail=None,
          new_data['private_key'] = ''
          newPrivateKeyId = ''
          break
-        waitForCompletion(retry)
+        _waitForSvcAcctCompletion(retry)
    new_data['private_key_id'] = newPrivateKeyId
    oauth2service_data = _formatOAuth2ServiceData(new_data)
  else:
@@ -12687,7 +12691,7 @@ def doProcessSvcAcctKeys(mode=None, iam=None, projectId=None, clientEmail=None,
        if retry == maxRetries:
          entityActionFailedWarning([Ent.PROJECT, projectId, Ent.SVCACCT, clientEmail], Msg.UPDATE_PROJECT_TO_VIEW_MANAGE_SAKEYS)
          return False
-        waitForCompletion(retry)
+        _waitForSvcAcctCompletion(retry)
      except GAPI.badRequest as e:
        entityActionFailedWarning([Ent.PROJECT, projectId, Ent.SVCACCT, clientEmail], str(e))
        return False
@@ -12728,7 +12732,7 @@ def doProcessSvcAcctKeys(mode=None, iam=None, projectId=None, clientEmail=None,
          if retry == maxRetries:
            entityActionFailedWarning([Ent.SVCACCT_KEY, keyName], Msg.UPDATE_PROJECT_TO_VIEW_MANAGE_SAKEYS)
            break
-          waitForCompletion(retry)
+          _waitForSvcAcctCompletion(retry)
        except GAPI.badRequest as e:
          entityActionFailedWarning([Ent.SVCACCT_KEY, keyName], str(e), i, count)
          break
@@ -13090,13 +13094,13 @@ def _checkDataRequiredServices(result, tryDate, dataRequiredServices, parameterS
 #  0: Backup to earlier date
 #  1: Data available
  oneDay = datetime.timedelta(days=1)
-  warnings = result.get('warnings', [])
+  dataWarnings = result.get('warnings', [])
  usageReports = result.get('usageReports', [])
  # move to day before if we don't have at least one usageReport with parameters
  if not usageReports or not usageReports[0].get('parameters', []):
    tryDateTime = datetime.datetime.strptime(tryDate, YYYYMMDD_FORMAT)-oneDay
    return (0, tryDateTime.strftime(YYYYMMDD_FORMAT), None)
-  for warning in warnings:
+  for warning in dataWarnings:
    if warning['code'] == 'PARTIAL_DATA_AVAILABLE':
      for app in warning['data']:
        if app['key'] == 'application' and app['value'] != 'docs' and app['value'] in dataRequiredServices:
@@ -13521,7 +13525,7 @@ REPORT_ACTIVITIES_TIME_OBJECTS = {'time'}
 #	[event|events <EventNameList>] [ip <String>]
 #	[groupidfilter <String>]
 #	[maxactivities <Number>] [maxevents <Number>] [maxresults <Number>]
-#	[countsonly [summary] [eventrowfilter]]
+#	[countsonly [bydate|summary] [eventrowfilter]]
 #	(addcsvdata <FieldName> <String>)* [shownoactivities]
 # gam report users|user [todrive <ToDriveAttribute>*]
 #	[(user all|<UserItem>)|(orgunit|org|ou <OrgUnitPath> [showorgunit])|(select <UserTypeEntity>)]
@@ -13794,8 +13798,8 @@ def doReport():
  filterTimes = {}
  maxActivities = maxEvents = 0
  maxResults = 1000
-  aggregateByDate = aggregateByUser = convertMbToGb = countsOnly = eventRowFilter = exitUserLoop = \
-    noAuthorizedApps = normalizeUsers = select = summary = userCustomerRange = False
+  aggregateByDate = aggregateByUser = convertMbToGb = countsOnly = countsByDate = countsSummary = \
+    eventRowFilter = exitUserLoop = noAuthorizedApps = normalizeUsers = select = userCustomerRange = False
  limitDateChanges = -1
  allVerifyUser = userKey = 'all'
  cd = orgUnit = orgUnitId = None
@@ -13893,8 +13897,10 @@ def doReport():
      actorIpAddress = getString(Cmd.OB_STRING)
    elif activityReports and myarg == 'countsonly':
      countsOnly = True
+    elif activityReports and myarg == 'bydate':
+      countsByDate = True
    elif activityReports and myarg == 'summary':
-      summary = True
+      countsSummary = True
    elif activityReports and myarg == 'eventrowfilter':
      eventRowFilter = True
    elif activityReports and myarg == 'groupidfilter':
@@ -13928,6 +13934,8 @@ def doReport():
      unknownArgumentExit()
  if aggregateByDate and aggregateByUser:
    usageErrorExit(Msg.ARE_MUTUALLY_EXCLUSIVE.format('aggregateByDate', 'aggregateByUser'))
+  if countsOnly and countsByDate and countsSummary:
+    usageErrorExit(Msg.ARE_MUTUALLY_EXCLUSIVE.format('bydate', 'summary'))
  parameters = ','.join(parameters) if parameters else None
  if usageReports and not includeServices:
    includeServices = set(fullDataServices)
@@ -14144,8 +14152,12 @@ def doReport():
      pageMessage = getPageMessage()
      users = [normalizeEmailAddressOrUID(userKey)]
      orgUnitId = None
+    zeroEventCounts = {}
    if not eventNames:
      eventNames.append(None)
+    else:
+      for eventName in eventNames:
+        zeroEventCounts[eventName] = 0
    i = 0
    count = len(users)
    for user in users:
@@ -14177,9 +14189,22 @@ def doReport():
          accessErrorExit(None)
        for activity in feed:
          events = activity.pop('events')
-          actor = activity['actor'].get('email', activity['actor'].get('key', UNKNOWN))
+          actor = activity['actor'].get('email')
+          if not actor:
+            actor = 'id:'+activity['actor'].get('profileId', UNKNOWN)
          if showOrgUnit:
            activity['actor']['orgUnitPath'] = userOrgUnits.get(actor, UNKNOWN)
+          if countsOnly and countsByDate:
+            eventTime = activity.get('id', {}).get('time', UNKNOWN)
+            if eventTime != UNKNOWN:
+              try:
+                eventTime, _ = iso8601.parse_date(eventTime)
+              except (iso8601.ParseError, OverflowError):
+                eventTime = UNKNOWN
+            if eventTime != UNKNOWN:
+              eventDate = eventTime.strftime(YYYYMMDD_FORMAT)
+            else:
+              eventDate = UNKNOWN
          if not countsOnly or eventRowFilter:
            activity_row = flattenJSON(activity, timeObjects=REPORT_ACTIVITIES_TIME_OBJECTS)
            purge_parameters = True
@@ -14230,18 +14255,32 @@ def doReport():
                if numEvents >= maxEvents > 0:
                  break
              elif csvPF.CheckRowTitles(row):
-                if not summary:
+                eventName = event['name']
+                if not countsSummary:
                  eventCounts.setdefault(actor, {})
-                  eventCounts[actor].setdefault(event['name'], 0)
-                  eventCounts[actor][event['name']] += 1
+                  if not countsByDate:
+                    eventCounts[actor].setdefault(eventName, 0)
+                    eventCounts[actor][eventName] += 1
+                  else:
+                    eventCounts[actor].setdefault(eventDate, {})
+                    eventCounts[actor][eventDate].setdefault(eventName, 0)
+                    eventCounts[actor][eventDate][eventName] += 1
                else:
-                  eventCounts.setdefault(event['name'], 0)
-                  eventCounts[event['name']] += 1
-          elif not summary:
+                  eventCounts.setdefault(eventName, 0)
+                  eventCounts[eventName] += 1
+          elif not countsSummary:
            eventCounts.setdefault(actor, {})
-            for event in events:
-              eventCounts[actor].setdefault(event['name'], 0)
-              eventCounts[actor][event['name']] += 1
+            if not countsByDate:
+              for event in events:
+                eventName = event['name']
+                eventCounts[actor].setdefault(eventName, 0)
+                eventCounts[actor][eventName] += 1
+            else:
+              for event in events:
+                eventName = event['name']
+                eventCounts[actor].setdefault(eventDate, {})
+                eventCounts[actor][eventDate].setdefault(eventName, 0)
+                eventCounts[actor][eventDate][eventName] += 1
          else:
            for event in events:
              eventCounts.setdefault(event['name'], 0)
@@ -14256,31 +14295,46 @@ def doReport():
    else:
      if eventRowFilter:
        csvPF.SetRowFilter([], GC.Values[GC.CSV_OUTPUT_ROW_FILTER_MODE])
-      if not summary:
-        csvPF.SetTitles('emailAddress')
+      if not countsSummary:
+        titles = ['emailAddress']
+        if countsOnly and countsByDate:
+          titles.append('date')
+        csvPF.SetTitles(titles)
+        csvPF.SetSortTitles(titles)
        if addCSVData:
          csvPF.AddTitles(sorted(addCSVData.keys()))
        if eventCounts:
-          for actor, events in iter(eventCounts.items()):
-            row = {'emailAddress': actor}
-            for event, count in iter(events.items()):
-              row[event] = count
-            if addCSVData:
-              row.update(addCSVData)
-            csvPF.WriteRowTitles(row)
+          if not countsByDate:
+            for actor, events in iter(eventCounts.items()):
+              row = {'emailAddress': actor}
+              row.update(zeroEventCounts)
+              for event, count in iter(events.items()):
+                row[event] = count
+              if addCSVData:
+                row.update(addCSVData)
+              csvPF.WriteRowTitles(row)
+          else:
+            for actor, eventDates in iter(eventCounts.items()):
+              for eventDate, events in iter(eventDates.items()):
+                row = {'emailAddress': actor, 'date': eventDate}
+                row.update(zeroEventCounts)
+                for event, count in iter(events.items()):
+                  row[event] = count
+                if addCSVData:
+                  row.update(addCSVData)
+                csvPF.WriteRowTitles(row)
        elif showNoActivities:
          row = {'emailAddress': 'NoActivities'}
          if addCSVData:
            row.update(addCSVData)
            csvPF.WriteRow(row)
-        csvPF.SetSortTitles(['emailAddress'])
      else:
        csvPF.SetTitles(['event', 'count'])
        if addCSVData:
          csvPF.AddTitles(sorted(addCSVData.keys()))
        if eventCounts:
-          for event in sorted(eventCounts):
-            row = {'event': event, 'count': eventCounts[event]}
+          for event, count in sorted(iter(eventCounts.items())):
+            row = {'event': event, 'count': count}
            if addCSVData:
              row.update(addCSVData)
            csvPF.WriteRow(row)
@@ -15058,15 +15112,15 @@ def doCreateResoldCustomer():
  except (GAPI.badRequest, GAPI.resourceNotFound, GAPI.forbidden, GAPI.invalid) as e:
    entityActionFailedWarning([Ent.CUSTOMER_DOMAIN, body['customerDomain']], str(e))

-# gam update resoldcustomer <CustomerID> [customer_auth_token <String>] <ResoldCustomerAttribute>+
+# gam update resoldcustomer <CustomerID> <ResoldCustomerAttribute>+
 def doUpdateResoldCustomer():
  res = buildGAPIObject(API.RESELLER)
  customerId = getString(Cmd.OB_CUSTOMER_ID)
-  customerAuthToken, body = _getResoldCustomerAttr()
+  _, body = _getResoldCustomerAttr()
  try:
    callGAPI(res.customers(), 'patch',
             throwReasons=GAPI.RESELLER_THROW_REASONS,
-             customerId=customerId, body=body, customerAuthToken=customerAuthToken, fields='')
+             customerId=customerId, body=body, fields='')
    entityActionPerformed([Ent.CUSTOMER_ID, customerId])
  except (GAPI.badRequest, GAPI.resourceNotFound, GAPI.forbidden, GAPI.invalid) as e:
    entityActionFailedWarning([Ent.CUSTOMER_ID, customerId], str(e))
@@ -15085,6 +15139,7 @@ def doInfoResoldCustomer():
                            customerId=customerId)
    if not FJQC.formatJSON:
      printKeyValueList(['Customer ID', customerInfo['customerId']])
+      printKeyValueList(['Customer Type', customerInfo['customerType']])
      printKeyValueList(['Customer Domain', customerInfo['customerDomain']])
      if 'customerDomainVerified' in customerInfo:
        printKeyValueList(['Customer Domain Verified', customerInfo['customerDomainVerified']])
@@ -16519,7 +16574,7 @@ def doInfoAdminRole():
      fieldsList.append('rolePrivileges')
    else:
      unknownArgumentExit()
-  fields = ','.join(set(fieldsList))
+  fields = getFieldsFromFieldsList(fieldsList)
  try:
    role = callGAPI(cd.roles(), 'get',
                    throwReasons=[GAPI.NOT_FOUND, GAPI.FORBIDDEN, GAPI.FAILED_PRECONDITION,
@@ -17656,9 +17711,9 @@ def _getOrgUnits(cd, orgUnitPath, fieldsList, listType, showParent, batchSubOrgs
    if 'parentOrgUnitId' not in fieldsList:
      localFieldsList.append('parentOrgUnitId')
      deleteParentOrgUnitId = True
-    fields = ','.join(set(localFieldsList))
+    fields = getFieldsFromFieldsList(localFieldsList)
  else:
-    fields = ','.join(set(fieldsList))
+    fields = getFieldsFromFieldsList(fieldsList)
  listfields = f'organizationUnits({fields})'
  if listType == 'all' and  orgUnitPath == '/':
    printGettingAllAccountEntities(Ent.ORGANIZATIONAL_UNIT)
@@ -22120,8 +22175,7 @@ def printShowUserPeopleContacts(users):
    if not fieldsList:
      ofields = _getPersonFields(PEOPLE_OTHER_CONTACTS_FIELDS_CHOICE_MAP, PEOPLE_CONTACTS_DEFAULT_FIELDS, fieldsList, parameters)
    else:
-      fieldsList = [PEOPLE_OTHER_CONTACTS_FIELDS_CHOICE_MAP[field.lower()] for field in fieldsList if field.lower() in PEOPLE_OTHER_CONTACTS_FIELDS_CHOICE_MAP]
-      ofields = ','.join(set(fieldsList))
+      ofields = getFieldsFromFieldsList([PEOPLE_OTHER_CONTACTS_FIELDS_CHOICE_MAP[field.lower()] for field in fieldsList if field.lower() in PEOPLE_OTHER_CONTACTS_FIELDS_CHOICE_MAP])
  i, count, users = getEntityArgument(users)
  for user in users:
    i += 1
@@ -24735,7 +24789,7 @@ def doPrintCrOSActivity(entityList=None):
  else:
    sortRows = True
    jcount = len(entityList)
-    fields = ','.join(set(fieldsList))
+    fields = getFieldsFromFieldsList(fieldsList)
    svcargs = dict([('customerId', GC.Values[GC.CUSTOMER_ID]), ('deviceId', None), ('projection', projection), ('fields', fields)]+GM.Globals[GM.EXTRA_ARGS_LIST])
    method = getattr(cd.chromeosdevices(), 'get')
    dbatch = cd.new_batch_http_request(callback=_callbackPrintCrOS)
@@ -25025,7 +25079,7 @@ def _showBrowser(browser, FJQC, i=0, count=0):
    return
  printEntity([Ent.CHROME_BROWSER, browser['deviceId']], i, count)
  Ind.Increment()
-  showJSON(None, browser, timeObjects=BROWSER_TIME_OBJECTS)
+  showJSON(None, browser, timeObjects=BROWSER_TIME_OBJECTS, dictObjectsKey={'machinePolicies': 'name'})
  Ind.Decrement()

 BROWSER_FIELDS_CHOICE_MAP = {
@@ -25065,11 +25119,13 @@ BROWSER_FIELDS_CHOICE_MAP = {
  'user': 'annotatedUser',
  'virtualdeviceid': 'virtualDeviceId',
  }
-BROWSER_ANNOTATED_FIELDS_LIST = ['annotatedAssetId', 'annotatedLocation', 'annotatedNotes', 'annotatedUser']
+BROWSER_ANNOTATED_FIELDS_LIST = ['annotatedAssetId', 'annotatedLocation', 'annotatedNotes', 'annotatedUser', 'deviceId']
 BROWSER_FULL_ACCESS_FIELDS = {'browsers', 'lastDeviceUsers', 'lastStatusReportTime', 'machinePolicies'}

 # gam info browser <DeviceID>
-#	[basic|full|annotated] <BrowserFieldName>* [fields <BrowserFieldNameList>]
+#	(basic|full|annotated |
+#	 (<BrowserFieldName>* [fields <BrowserFieldNameList>]) |
+#	 (rawfields <BrowserFieldNameList>))
 #	[formatjson]
 def doInfoBrowsers():
  cbcm = buildGAPIObject(API.CBCM)
@@ -25077,6 +25133,7 @@ def doInfoBrowsers():
  deviceId = getString(Cmd.OB_DEVICE_ID)
  projection = 'BASIC'
  fieldsList = []
+  rawFields = None
  FJQC = FormatJSONQuoteChar()
  while Cmd.ArgumentsRemaining():
    myarg = getArgument()
@@ -25088,16 +25145,21 @@ def doInfoBrowsers():
      fieldsList = []
    elif getFieldsList(myarg, BROWSER_FIELDS_CHOICE_MAP, fieldsList, initialField='deviceId'):
      pass
+    elif myarg == 'rawfields':
+      projection = 'FULL'
+      rawFields = _getRawFields('deviceId')
    else:
      FJQC.GetFormatJSON(myarg)
  if projection == 'BASIC' and set(fieldsList).intersection(BROWSER_FULL_ACCESS_FIELDS):
    projection = 'FULL'
-  fields = ','.join(set(fieldsList))
+  fields = getFieldsFromFieldsList(fieldsList) if not rawFields else rawFields
  try:
    browser = callGAPI(cbcm.chromebrowsers(), 'get',
-                       throwReasons=[GAPI.BAD_REQUEST, GAPI.RESOURCE_NOT_FOUND, GAPI.FORBIDDEN],
+                       throwReasons=[GAPI.BAD_REQUEST, GAPI.RESOURCE_NOT_FOUND, GAPI.INVALID_ARGUMENT, GAPI.FORBIDDEN],
                       customer=customerId, deviceId=deviceId, projection=projection, fields=fields)
    _showBrowser(browser, FJQC)
+  except GAPI.invalidArgument as e:
+    entityActionFailedWarning([Ent.CHROME_BROWSER, deviceId], str(e))
  except (GAPI.badRequest, GAPI.resourceNotFound, GAPI.forbidden):
    checkEntityAFDNEorAccessErrorExit(None, Ent.CHROME_BROWSER, deviceId)

@@ -25298,7 +25360,7 @@ def doInfoChromeProfile():
      pass
    else:
      FJQC.GetFormatJSON(myarg)
-  fields = ','.join(set(fieldsList))
+  fields = getFieldsFromFieldsList(fieldsList)
  try:
    profile = callGAPI(cm.customers().profiles(), 'get',
                       throwReasons=[GAPI.INVALID_ARGUMENT, GAPI.NOT_FOUND, GAPI.PERMISSION_DENIED],
@@ -25430,13 +25492,19 @@ BROWSER_ORDERBY_CHOICE_MAP = {
 #	([ou|org|orgunit|browserou <OrgUnitPath>] [(query <QueryBrowser)|(queries <QueryBrowserList>))|(select <BrowserEntity>))
 #	[querytime<String> <Time>]
 #	[orderby <BrowserOrderByFieldName> [ascending|descending]]
-#	[basic|full|allfields|annotated] <BrowserFieldName>* [fields <BrowserFieldNameList>]
+#	(basic|full|annotated |
+#	 (<BrowserFieldName>* [fields <BrowserFieldNameList>]) |
+#	 (rawfields <BrowserFieldNameList>))
+#	(<BrowserFieldName>* [fields <BrowserFieldNameList>]|(rawfields <BrowserFieldNameList>)
 #	[formatjson]
 # gam print browsers [todrive <ToDriveAttribute>*]
 #	([ou|org|orgunit|browserou <OrgUnitPath>] [(query <QueryBrowser)|(queries <QueryBrowserList>))|(select <BrowserEntity>))
 #	[querytime<String> <Time>]
 #	[orderby <BrowserOrderByFieldName> [ascending|descending]]
-#	[basic|full|allfields|annotated] <BrowserFieldName>* [fields <BrowserFieldNameList>]
+#	(basic|full|annotated |
+#	 (<BrowserFieldName>* [fields <BrowserFieldNameList>]) |
+#	 (rawfields <BrowserFieldNameList>))
+#	(<BrowserFieldName>* [fields <BrowserFieldNameList>]|(rawfields <BrowserFieldNameList>)
 #	[sortheaders] [formatjson [quotechar <Character>]]
 def doPrintShowBrowsers():
  def _printBrowser(browser):
@@ -25453,6 +25521,7 @@ def doPrintShowBrowsers():
  csvPF = CSVPrintFile(['deviceId']) if Act.csvFormat() else None
  FJQC = FormatJSONQuoteChar(csvPF)
  fieldsList = []
+  rawFields = None
  projection = 'BASIC'
  orderBy = 'id'
  sortOrder = 'ASCENDING'
@@ -25491,22 +25560,25 @@ def doPrintShowBrowsers():
      sortHeaders = True
    elif getFieldsList(myarg, BROWSER_FIELDS_CHOICE_MAP, fieldsList, initialField='deviceId'):
      pass
+    elif myarg == 'rawfields':
+      projection = 'FULL'
+      rawFields = _getRawFields('deviceId')
    else:
      FJQC.GetFormatJSONQuoteChar(myarg, True)
  if projection == 'BASIC' and set(fieldsList).intersection(BROWSER_FULL_ACCESS_FIELDS):
    projection = 'FULL'
-  fields = getItemFieldsFromFieldsList('browsers', fieldsList)
  if FJQC.formatJSON:
    sortHeaders = False
  substituteQueryTimes(queries, queryTimes)
  if entityList is None:
+    fields = getItemFieldsFromFieldsList('browsers', fieldsList) if not rawFields else f'nextPageToken,browsers({rawFields})'
    for query in queries:
      printGettingAllAccountEntities(Ent.CHROME_BROWSER, query)
      pageMessage = getPageMessage()
      try:
        feed = yieldGAPIpages(cbcm.chromebrowsers(), 'list', 'browsers',
                              pageMessage=pageMessage, messageAttribute='deviceId',
-                              throwReasons=[GAPI.INVALID_INPUT, GAPI.BAD_REQUEST, GAPI.INVALID_ORGUNIT, GAPI.FORBIDDEN],
+                              throwReasons=[GAPI.INVALID_INPUT, GAPI.BAD_REQUEST, GAPI.INVALID_ARGUMENT, GAPI.INVALID_ORGUNIT, GAPI.FORBIDDEN],
                              retryReasons=GAPI.SERVICE_NOT_AVAILABLE_RETRY_REASONS,
                              customer=customerId, orgUnitPath=orgUnitPath, query=query, projection=projection,
                              orderBy=orderBy, sortOrder=sortOrder, fields=fields)
@@ -25530,7 +25602,7 @@ def doPrintShowBrowsers():
        else:
          entityActionFailedWarning([Ent.CHROME_BROWSER, None], str(e))
        return
-      except (GAPI.invalidOrgunit, GAPI.forbidden) as e:
+      except (GAPI.invalidArgument, GAPI.invalidOrgunit, GAPI.forbidden) as e:
        entityActionFailedWarning([Ent.CHROME_BROWSER, None], str(e))
        return
      except (GAPI.badRequest, GAPI.resourceNotFound):
@@ -25538,15 +25610,17 @@ def doPrintShowBrowsers():
  else:
    sortRows = True
    jcount = len(entityList)
-    fields = getFieldsFromFieldsList(fieldsList)
+    fields = getFieldsFromFieldsList(fieldsList) if not rawFields else rawFields
    j = 0
    for deviceId in entityList:
      j += 1
      try:
        browser = callGAPI(cbcm.chromebrowsers(), 'get',
-                           throwReasons=[GAPI.BAD_REQUEST, GAPI.RESOURCE_NOT_FOUND, GAPI.FORBIDDEN],
+                           throwReasons=[GAPI.BAD_REQUEST, GAPI.RESOURCE_NOT_FOUND, GAPI.INVALID_ARGUMENT, GAPI.FORBIDDEN],
                           customer=customerId, deviceId=deviceId, projection=projection, fields=fields)
        _printBrowser(browser)
+      except GAPI.invalidArgument as e:
+        entityActionFailedWarning([Ent.CHROME_BROWSER, deviceId], str(e))
      except (GAPI.badRequest, GAPI.resourceNotFound, GAPI.forbidden):
        checkEntityAFDNEorAccessErrorExit(None, Ent.CHROME_BROWSER, deviceId)
  if csvPF:
@@ -31683,6 +31757,8 @@ def doCreateGroup(ciGroupsAPI=False):
                                                      'query': getString(Cmd.OB_QUERY)})
    elif ciGroupsAPI and myarg == 'makeowner':
      initialGroupConfig = 'WITH_INITIAL_OWNER'
+    elif ciGroupsAPI and myarg in {'security', 'makesecuritygroup'}:
+      body['labels'][CIGROUP_SECURITY_LABEL] = ''
    elif myarg == 'verifynotinvitable':
      verifyNotInvitable = True
    else:
@@ -34559,8 +34635,11 @@ def doPrintShowGroupTree():
  if csvPF:
    csvPF.writeCSVfile('Group Tree')

-# gam create cigroup <EmailAddress> [copyfrom <GroupItem>] <GroupAttribute>
-#	[makeowner] [alias|aliases <CIGroupAliasList>] [dynamic <QueryDynamicGroup>]
+# gam create cigroup <EmailAddress>
+#	[copyfrom <GroupItem>] <GroupAttribute>
+#	[makeowner] [alias|aliases <CIGroupAliasList>]
+#	[security|makesecuritygroup]
+#	[dynamic <QueryDynamicGroup>]
 def doCreateCIGroup():
  doCreateGroup(ciGroupsAPI=True)

@@ -37395,7 +37474,7 @@ def _doDeleteResourceCalendars(entityList):
               retryReasons=GAPI.SERVICE_NOT_AVAILABLE_RETRY_REASONS,
               customer=GC.Values[GC.CUSTOMER_ID], calendarResourceId=resourceId)
      entityActionPerformed([Ent.RESOURCE_CALENDAR, resourceId], i, count)
-    except GAPI.serviceNotAvailable  as e:
+    except GAPI.serviceNotAvailable as e:
      entityActionFailedWarning([Ent.RESOURCE_CALENDAR, resourceId], str(e), i, count)
    except (GAPI.badRequest, GAPI.resourceNotFound, GAPI.forbidden):
      checkEntityAFDNEorAccessErrorExit(cd, Ent.RESOURCE_CALENDAR, resourceId, i, count)
@@ -39114,10 +39193,12 @@ def _wipeCalendarEvents(user, origCal, calIds, count):
      continue
    try:
      callGAPI(cal.calendars(), 'clear',
-               throwReasons=GAPI.CALENDAR_THROW_REASONS+[GAPI.NOT_FOUND, GAPI.FORBIDDEN, GAPI.INVALID, GAPI.REQUIRED_ACCESS_LEVEL],
+               throwReasons=GAPI.CALENDAR_THROW_REASONS+[GAPI.NOT_FOUND, GAPI.FORBIDDEN, GAPI.INVALID,
+                                                         GAPI.REQUIRED_ACCESS_LEVEL, GAPI.SERVICE_NOT_AVAILABLE],
+               retryReasons=GAPI.SERVICE_NOT_AVAILABLE_RETRY_REASONS,
               calendarId=calId)
      entityActionPerformed([Ent.CALENDAR, calId], i, count)
-    except (GAPI.notFound, GAPI.forbidden, GAPI.invalid, GAPI.requiredAccessLevel) as e:
+    except (GAPI.notFound, GAPI.forbidden, GAPI.invalid, GAPI.requiredAccessLevel, GAPI.serviceNotAvailable) as e:
      entityActionFailedWarning([Ent.CALENDAR, calId], str(e), i, count)
    except GAPI.notACalendarUser:
      userCalServiceNotEnabledWarning(calId, i, count)
@@ -40374,9 +40455,10 @@ VAULT_SEARCH_METHODS_MAP = {
 VAULT_CORPUS_ARGUMENT_MAP = {
  'calendar': 'CALENDAR',
  'drive': 'DRIVE',
-  'mail': 'MAIL',
+  'gemini': 'GEMINI',
  'groups': 'GROUPS',
  'hangoutschat': 'HANGOUTS_CHAT',
+  'mail': 'MAIL',
  'voice': 'VOICE',
  }
 VAULT_COUNTS_CORPUS_ARGUMENT_MAP = {
@@ -40403,15 +40485,22 @@ VAULT_EXPORT_FORMAT_MAP = {
  'ics': 'ICS',
  'mbox': 'MBOX',
  'pst': 'PST',
+  'xml': 'XML',
  }
 VAULT_CORPUS_EXPORT_FORMATS = {
  'CALENDAR': ['ICS', 'PST'],
  'DRIVE': [],
+  'GEMINI': ['XML'],
  'GROUPS': ['MBOX', 'PST'],
  'HANGOUTS_CHAT': ['MBOX', 'PST'],
  'MAIL': ['MBOX', 'PST'],
  'VOICE' : ['MBOX', 'PST'],
  }
+VAULT_CSE_OPTION_MAP = {
+  'any': 'CLIENT_SIDE_ENCRYPTED_OPTION_ANY',
+  'encrypted': 'CLIENT_SIDE_ENCRYPTED_OPTION_ENCRYPTED',
+  'unencrypted': 'CLIENT_SIDE_ENCRYPTED_OPTION_UNENCRYPTED',
+  }
 VAULT_EXPORT_REGION_MAP = {
  'any': 'ANY',
  'europe': 'EUROPE',
@@ -40420,16 +40509,18 @@ VAULT_EXPORT_REGION_MAP = {
 VAULT_CORPUS_OPTIONS_MAP = {
  'CALENDAR': 'calendarOptions',
  'DRIVE': 'driveOptions',
-  'MAIL': 'mailOptions',
+  'GEMINI': 'geminiOptions',
  'GROUPS': 'groupsOptions',
  'HANGOUTS_CHAT': 'hangoutsChatOptions',
+  'MAIL': 'mailOptions',
  'VOICE': 'voiceOptions',
  }
 VAULT_CORPUS_QUERY_MAP = {
  'CALENDAR': None,
  'DRIVE': 'driveQuery',
-  'MAIL': 'mailQuery',
+  'GEMINI': None,
  'GROUPS': 'groupsQuery',
+  'MAIL': 'mailQuery',
  'HANGOUTS_CHAT': 'hangoutsChatQuery',
  'VOICE': 'voiceQuery',
  }
@@ -40438,11 +40529,11 @@ VAULT_QUERY_ARGS = [
 # calendar
  'locationquery', 'peoplequery', 'minuswords', 'responsestatuses', 'caldendarversiondate',
 # drive
-  'driveversiondate', 'includeshareddrives', 'includeteamdrives',
+  'driveclientsideencryption', 'driveversiondate', 'includeshareddrives', 'includeteamdrives',
 # hangoutsChat
  'includerooms',
 # mail
-  'excludedrafts',
+  'mailclientsideencryption', 'excludedrafts',
 # voice
  'covereddata',
  ] + list(VAULT_SEARCH_METHODS_MAP.keys())
@@ -40499,12 +40590,16 @@ def _buildVaultQuery(myarg, query, corpusArgumentMap):
    query.setdefault('driveOptions', {})['versionDate'] = getTimeOrDeltaFromNow()
  elif myarg in {'includeshareddrives', 'includeteamdrives'}:
    query.setdefault('driveOptions', {})['includeSharedDrives'] = getBoolean()
+  elif myarg == 'driveclientsideencryption':
+    query.setdefault('driveOptions', {})['clientSideEncryptedOption'] = getChoice(VAULT_CSE_OPTION_MAP, mapChoice=True)
 # hangoutsChat
  elif myarg == 'includerooms':
    query['hangoutsChatOptions'] = {'includeRooms': getBoolean()}
 # mail
  elif myarg == 'excludedrafts':
    query['mailOptions'] = {'excludeDrafts': getBoolean()}
+  elif myarg == 'mailclientsideencryption':
+    query.setdefault('mailOptions', {})['clientSideEncryptedOption'] = getChoice(VAULT_CSE_OPTION_MAP, mapChoice=True)
 # voice
  elif myarg == 'covereddata':
    query['voiceOptions'] = {'coveredData': getChoice(VAULT_VOICE_COVERED_DATA_MAP, mapChoice=True)}
@@ -40519,7 +40614,7 @@ def _validateVaultQuery(body, corpusArgumentMap):
      if body['query']['corpus'] != corpus:
        body['exportOptions'].pop(options, None)

-# gam create vaultexport|export matter <MatterItem> [name <String>] corpus calendar|drive|mail|groups|hangouts_chat|voice
+# gam create vaultexport|export matter <MatterItem> [name <String>] corpus calendar|drive|gemini|groups|hangouts_chat|mail|voice
 #	(accounts <EmailAddressEntity>) | (orgunit|org|ou <OrgUnitPath>) | everyone
 #	(shareddrives|teamdrives <TeamDriveIDList>) | (rooms <RoomList>) | (sitesurl <URLList>)
 #	[scope <all_data|held_data|unprocessed_data>]
@@ -40527,10 +40622,12 @@ def _validateVaultQuery(body, corpusArgumentMap):
 #	[locationquery <StringList>] [peoplequery <StringList>] [minuswords <StringList>]
 #	[responsestatuses <AttendeeStatus>(,<AttendeeStatus>)*] [calendarversiondate <Date>|<Time>]
 #	[includeshareddrives <Boolean>] [driveversiondate <Date>|<Time>] [includeaccessinfo <Boolean>]
+#	[driveclientsideencryption any|encrypted|unencrypted]
 #	[includerooms <Boolean>]
-#	[excludedrafts <Boolean>] [format mbox|pst]
+#	[excludedrafts <Boolean>] [mailclientsideencryption any|encrypted|unencrypted]
 #	[showconfidentialmodecontent <Boolean>] [usenewexport <Boolean>] [exportlinkeddrivefiles <Boolean>]
 #	[covereddata calllogs|textmessages|voicemails]
+#	[format ics|mbox|pst|xml]
 #	[region any|europe|us] [showdetails|returnidonly]
 def doCreateVaultExport():
  v = buildGAPIObject(API.VAULT)
@@ -48190,7 +48287,7 @@ def doPrintCourseTopics():
      jcount = len(courseTopicIds)
      if jcount == 0:
        continue
-      fields = f'{",".join(set(fieldsList))}'
+      fields = getFieldsFromFieldsList(fieldsList)
      j = 0
      for courseTopicId in courseTopicIds:
        j += 1
@@ -48425,7 +48522,7 @@ def doPrintCourseWM(entityIDType, entityStateType):
      jcount = len(courseWMIds)
      if jcount == 0:
        continue
-      fields = f'{",".join(set(fieldsList))}' if fieldsList else None
+      fields = getFieldsFromFieldsList(fieldsList)
      j = 0
      for courseWMId in courseWMIds:
        j += 1
@@ -58832,6 +58929,8 @@ def initCopyMoveOptions(copyCmd):
    'fileMimeTypes': set(),
    'notMimeTypes': False,
    'copySubFilesOwnedBy': None,
+    'copyPermissionRoles': set(DRIVEFILE_ACL_ROLES_MAP.values()),
+    'copyPermissionTypes': set(DRIVEFILE_ACL_PERMISSION_TYPES),
    }

 DUPLICATE_FILE_CHOICES = {
@@ -58920,6 +59019,20 @@ def getCopyMoveOptions(myarg, copyMoveOptions):
        copyMoveOptions['copyFileInheritedPermissions'] = getBoolean()
      elif myarg == 'copyfilenoninheritedpermissions':
        copyMoveOptions['copyFileNonInheritedPermissions'] = COPY_NONINHERITED_PERMISSIONS_ALWAYS if getBoolean() else COPY_NONINHERITED_PERMISSIONS_NEVER
+      elif myarg == 'copypermissionroles':
+        copyMoveOptions['copyPermissionRoles'] = set()
+        for prole in getString(Cmd.OB_PERMISSION_ROLE_LIST).lower().replace(',', ' ').split():
+          if prole in DRIVEFILE_ACL_ROLES_MAP:
+            copyMoveOptions['copyPermissionRoles'].add(DRIVEFILE_ACL_ROLES_MAP[prole])
+          else:
+            invalidChoiceExit(prole, DRIVEFILE_ACL_ROLES_MAP, True)
+      elif myarg == 'copypermissiontypes':
+        copyMoveOptions['copyPermissionTypes'] = set()
+        for ptype in getString(Cmd.OB_PERMISSION_TYPE_LIST).lower().replace(',', ' ').split():
+          if ptype in DRIVEFILE_ACL_PERMISSION_TYPES:
+            copyMoveOptions['copyPermissionTypes'].add(ptype)
+          else:
+            invalidChoiceExit(ptype, DRIVEFILE_ACL_PERMISSION_TYPES, True)
      elif myarg == 'copysheetprotectedranges':
        if getBoolean():
          copyMoveOptions['copySheetProtectedRangesInheritedPermissions'] = True
@@ -59033,15 +59146,20 @@ def _copyPermissions(drive, user, i, count, j, jcount,
  def isPermissionCopyable(kvList, permission):
    role = permission['role']
    emailAddress = permission.get('emailAddress', '')
+    permissionType = permission['type']
    domain = ''
    if copyMoveOptions['excludePermissionsFromDomains'] or copyMoveOptions['includePermissionsFromDomains']:
-      if permission['type'] in {'group', 'user'}:
+      if permissionType in {'group', 'user'}:
        atLoc = emailAddress.find('@')
        if atLoc > 0:
          domain = emailAddress[atLoc+1:]
-      elif permission['type'] == 'domain':
+      elif permissionType == 'domain':
        domain = permission.get('domain', '')
-    if permission['inherited'] and not copyMoveOptions[copyInherited]:
+    if role not in copyMoveOptions['copyPermissionRoles']:
+      notCopiedMessage = f'role {role} not selected'
+    elif permissionType not in copyMoveOptions['copyPermissionTypes']:
+      notCopiedMessage = f'type {permissionType} not selected'
+    elif permission['inherited'] and not copyMoveOptions[copyInherited]:
      notCopiedMessage = 'inherited not selected'
    elif not permission['inherited'] and copyMoveOptions[copyNonInherited] == COPY_NONINHERITED_PERMISSIONS_NEVER:
      notCopiedMessage = 'noninherited not selected'
@@ -59057,8 +59175,8 @@ def _copyPermissions(drive, user, i, count, j, jcount,
      notCopiedMessage = f'domain {domain} excluded'
    elif domain and copyMoveOptions['includePermissionsFromDomains'] and domain not in copyMoveOptions['includePermissionsFromDomains']:
      notCopiedMessage = f'domain {domain} not included'
-    elif permission.pop('deleted', False):
-      notCopiedMessage = f"{permission['type']} {permission['emailAddress']} deleted"
+    elif permission.pop('deleted', False) or (permissionType in {'group', 'user'} and not emailAddress):
+      notCopiedMessage = f"{permissionType} deleted or has blank email address"
    elif ((copyInherited == 'copySheetProtectedRangesInheritedPermissions' and copyMoveOptions[copyInherited]) or
          (copyNonInherited == 'copySheetProtectedRangesNonInheritedPermissions' and
           copyMoveOptions[copyNonInherited] != COPY_NONINHERITED_PERMISSIONS_NEVER)):
@@ -59496,6 +59614,8 @@ copyReturnItemMap = {
 #	[copysubfolderpermissions [<Boolean>]]
 #	[copysubfolderinheritedpermissions [<Boolean>]]
 #	[copysubfoldernoniheritedpermissions never|always|syncallfolders|syncupdatedfolders]
+#	[copypermissionroles <DriveFileACLRoleList>]
+#	[copypermissiontypes <DriveFileACLTypeList>]
 #	[excludepermissionsfromdomains|includepermissionsfromdomains <DomainNameList>]
 #	(mappermissionsdomain <DomainName> <DomainName>)*
 #	[copysheetprotectedranges [<Boolean>]]
@@ -60310,6 +60430,8 @@ def _updateMoveFilePermissions(drive, user, i, count,
 #	[copysubfolderpermissions [<Boolean>]]
 #	[copysubfolderinheritedpermissions [<Boolean>]]
 #	[copysubfoldernoniheritedpermissions never|always|syncallfolders|syncupdatedfolders]
+#	[copypermissionroles <DriveFileACLRoleList>]
+#	[copypermissiontypes <DriveFileACLTypeList>]
 #	[synctopfoldernoniheritedpermissions [<Boolean>]] [syncsubfoldernoninheritedpermissions [<Boolean>]]
 #	[excludepermissionsfromdomains|includepermissionsfromdomains <DomainNameList>]
 #	(mappermissionsdomain <DomainName> <DomainName>)*
@@ -65420,7 +65542,7 @@ def infoSharedDrive(users, useDomainAdminAccess=False):
      guiRoles = getBoolean()
    else:
      FJQC.GetFormatJSON(myarg)
-  fields = ','.join(set(fieldsList)) if fieldsList else '*'
+  fields = getFieldsFromFieldsList(fieldsList) if fieldsList else '*'
  i, count, users = getEntityArgument(users)
  for user in users:
    i += 1
@@ -69326,13 +69448,18 @@ LABEL_COUNTS_FIELDS = ','.join(LABEL_COUNTS_FIELDS_LIST)
 def printShowLabels(users):
  def _buildLabelTree(labels):
    def _checkChildLabel(label):
-      if label.find('/') != -1:
-        (parent, base) = label.rsplit('/', 1)
+      labelItemList = label.split('/')
+      i = len(labelItemList)-1
+      while i > 0:
+        parent = '/'.join(labelItemList[:i])
+        base = '/'.join(labelItemList[i:])
        if parent in labelTree:
          if label in labelTree:
            labelTree[label]['info']['base'] = base
            labelTree[parent]['children'].append(labelTree.pop(label))
          _checkChildLabel(parent)
+          return
+        i -= 1

    labelTree = {}
    for label in labels['labels']:
--- a/src/gam/gamlib/glapi.py
+++ b/src/gam/gamlib/glapi.py
@@ -71,7 +71,6 @@ GROUPSMIGRATION = 'groupsmigration'
 GROUPSSETTINGS = 'groupssettings'
 IAM = 'iam'
 IAM_CREDENTIALS = 'iamcredentials'
-IAP = 'iap'
 KEEP = 'keep'
 LICENSING = 'licensing'
 LOOKERSTUDIO = 'datastudio'
@@ -185,7 +184,6 @@ PROJECT_APIS = [
  'groupsmigration.googleapis.com',
  'groupssettings.googleapis.com',
  'iam.googleapis.com',
-  'iap.googleapis.com',
  'keep.googleapis.com',
  'licensing.googleapis.com',
  'meet.googleapis.com',
@@ -250,7 +248,6 @@ _INFO = {
  GROUPSSETTINGS: {'name': 'Groups Settings API', 'version': 'v1', 'v2discovery': True},
  IAM: {'name': 'Identity and Access Management API', 'version': 'v1', 'v2discovery': True},
  IAM_CREDENTIALS: {'name': 'Identity and Access Management Credentials API', 'version': 'v1', 'v2discovery': True},
-  IAP: {'name': 'Cloud Identity-Aware Proxy API', 'version': 'v1', 'v2discovery': True},
  KEEP: {'name': 'Keep API', 'version': 'v1', 'v2discovery': True},
  LICENSING: {'name': 'License Manager API', 'version': 'v1', 'v2discovery': True},
  LOOKERSTUDIO: {'name': 'Looker Studio API', 'version': 'v1', 'v2discovery': True, 'localjson': True},
--- a/src/gam/gamlib/glclargs.py
+++ b/src/gam/gamlib/glclargs.py
@@ -924,6 +924,7 @@ class GamCLArgs():
  OB_EXPORT_ITEM = 'ExportItem'
  OB_FIELD_NAME = 'FieldName'
  OB_FIELD_NAME_LIST = "FieldNameList"
+  OB_FIELDS = 'Fields'
  OB_FILE_NAME = 'FileName'
  OB_FILE_NAME_FIELD_NAME = OB_FILE_NAME+'(:'+OB_FIELD_NAME+')+'
  OB_FILE_NAME_OR_URL = 'FileName|URL'
--- a/src/gam/gamlib/glmsgs.py
+++ b/src/gam/gamlib/glmsgs.py
@@ -40,21 +40,43 @@ sign in as {0} and accept the Terms of Service (ToS). As soon as you've accepted

 PROJECT_STILL_BEING_CREATED_SLEEPING = 'Project still being created. Sleeping {0} seconds\n'
 FAILED_TO_CREATE_PROJECT = 'Failed to create project: {0}\n'
-SETTING_GAM_PROJECT_CONSENT_SCREEN = 'Setting GAM project consent screen...\n'
-CREATE_PROJECT_INSTRUCTIONS = '''
+SETTING_GAM_PROJECT_CONSENT_SCREEN_CREATING_CLIENT = 'Setting GAM project consent screen, creating client...\n'
+CREATE_CLIENT_INSTRUCTIONS = '''
 Please go to:

  {0}

-1. Choose "Desktop App" or "Other" for "Application type".
-2. Enter "GAM" or another desired value for "Name".
-3. Click the blue "Create" button.
-4. Copy your "Client ID" value that shows on the next page.
+ 1. If "+ CREATE CLIENT" is on the screen, skip to step 14
+ 2. Click "GET STARTED"
+ 3. Under "App Information", enter {1} or another value in "App name *"
+ 4. Under "App Information", enter {2} in "User support email *"
+ 5. Click "NEXT"
+ 6. Under "Audience", choose INTERNAL
+ 7. Click "NEXT"
+ 8. Under, "Contact Information", enter an email address in "Email addresses *"
+ 9. Click "NEXT"
+10. Under "Finish", click "I agree to the Google API Services: User Data Policy."
+11. Click "CONTINUE"
+12. Click "CREATE"
+13. Click "Clients" in the left-hand column
+14. Click "+ CREATE CLIENT"
+15. Choose "Desktop App" for "Application type"
+16. Enter {1} or another value in "Name *"
+17. Click "Create"
+18. Under "Name", click your client name
+19. Copy the "Client ID" value under "Additional information"
+20. Paste it at the "Enter your Client ID: " prompt in your terminal
+21. Press return/enter in your terminal
+22. Switch back to the browser
+23. Copy the "Client secret" value under "Client Secrets"
+24. Paste it at the "Enter your Client Secret: " prompt in your terminal
+25. Press return/enter in your terminal
+26. Switch back to the browser
+27. Click "CANCEL"
+28. These steps are complete
 '''
 ENTER_YOUR_CLIENT_ID = '\nEnter your Client ID: '
-GO_BACK_TO_YOUR_BROWSER_AND_COPY_YOUR_CLIENT_SECRET_VALUE = '\n5. Go back to your browser and copy your "Client Secret" value.\n'
 ENTER_YOUR_CLIENT_SECRET = '\nEnter your Client Secret: '
-GO_BACK_TO_YOUR_BROWSER_AND_CLICK_OK_TO_CLOSE_THE_OAUTH_CLIENT_POPUP = '\n6. Go back to your browser and click OK to close the "OAuth client" popup if it\'s still open.\n'
 IS_NOT_A_VALID_CLIENT_ID = '''

 {0}
@@ -78,12 +100,12 @@ Please go to:

  https://admin.google.com/ac/owl/list?tab=configuredApps

-1. Click on: Configure new app > OAuth App Name Or Client ID.
-2. Enter the following Client ID value:
+1. Click on: Configure new app
+2. Enter the following Client ID value in Search for app:

  {1}

-3. Press Search, select the {0} app, press Select, check the box and press Select.
+3. Press Search, select the {0} app, click
 4. Keep the default scope or select a preferred scope that includes your GAM admin.
 5. Press Continue
 6. Select Trusted radio button, press Continue and Finish.
--- a/src/requirements.txt
+++ b/src/requirements.txt
@@ -11,4 +11,4 @@ lxml
 passlib>=1.7.2
 pathvalidate
 python-dateutil
-yubikey-manager>=5.0
+yubikey-manager[yubikey]>=5.0