Many organizations regularly rotate Google Groups members. Manual registration and deletion is tedious, so you would want to automate it via API.

The Admin SDK (Directory API) is commonly introduced as a method for managing Google Groups members via API. However, the Admin SDK requires Google Workspace admin privileges, limiting the situations where it can be used.

This article introduces how to bulk manage Google Groups members using the Cloud Identity Groups API, which can be used even without admin privileges.

API Options

There are mainly two methods for managing Google Groups members via API.

Admin SDK (Directory API)

This is the most widely documented method.

sseerrvviiccee.=mebmubielrds((')a.dlmiisnt'(,gr'oduiprKeecyt=o'rgyr_ovu1p'@,excarmepdleen.tcioaml's)=.cerxeedcsu)te()

To use it, one of the following is required:

  • A Google Workspace admin account
  • A service account + Domain-Wide Delegation (requires configuration in the admin console)

If you do not have admin privileges, 403 Forbidden is returned.

Cloud Identity Groups API

The Cloud Identity Groups API allows member operations without admin privileges if you are an owner or manager of the group. This article uses this method.

The differences between the two are summarized below.

Admin SDK (Directory API)Cloud Identity Groups API
Admin privilegesRequiredNot required
Group owner privilegesRequired
Domain-Wide DelegationRequired when using service accountsNot required
OAuth user authenticationAdmins onlyOwners/managers can use
API endpointadmin.directory_v1cloudidentity.v1
Member operationsmembers()groups().memberships()

Prerequisites

  • You are an owner or manager of the target group
  • You have a Google Cloud project

Steps

1. Enable the API

Enable the following API in the Google Cloud Console:

2. Create an OAuth Client ID

  1. Open Cloud Console -> “APIs & Services” -> “Credentials”
  2. Select “Create credentials” -> “OAuth client ID”
  3. Select “Desktop app” as the application type
  4. Download the JSON file after creation

Note: The “OAuth consent screen” also needs to be configured the first time. “Internal” is fine for the user type.

3. Python Script

Install the required libraries:

pipinstallgoogle-authgoogle-auth-oauthlibgoogle-api-python-client

Getting the Member List

ffiCTGSdcs#gg#rfrrmLORCererreooopIKOOferSooMsrmmoEEUPdveuueurNNPEgciirsiappmlmerpggtT__Serffecr_btmoroo_FEtet=ec=neialioopSIM=_donuhar=nienggiELAcsswoiewrg=smlstllcCEI[r.itflinefeelsr(eekRL'e=ptsttboriee==f_alE=hdahccehc_urv=srs"apeT=teNtcrrfc:fcprciitvum[{ui,'tnohoreerrlroierltcgil[retc=t'ptn.peddoeoepcdedherct'[mhlooysieeedssmdwdeksd(e.oe.p'a_is'ko:axnsssnle'gu.grnioeceu/li(oag.=(encgrpgeealanlnr/ssT=rnor=T.tlro[rtfm}uti.-w(tOdoeIOdioou'o(eet.epgw)sKpngfnfKuauupnu'r'-hdnirw:(EioclrslEmldpsapmr]litco.TNctreetoNpsi(msee{is_kugO_ke.saw_((d)e(mdf'bcslpoKFlcdahl.Fc)e.')bMo,.oee@oEIersu(lrIrnl].eerfvc'egNL.e.tReuLetomrmlerxl_EldehednEdioesbr.oreaeF,osx.qA_,stkmhejwytmaIa.ptupl,yubirio.ppL'dvirepo''pepKniiijliEr(arasFcwf,(rsenmmses)bflentlab)gs'ym(ppo..:')ids(ol'rh,'.rooncc)dp)w_)voi]gorr'oo:ao).s1up[[elttmmanrfea'ps]'te'/sdtrrs,K()i(sIba.ove):d')nuufcrmefcy.'r}sit:re_r:r_l]o"tlheqc(eiil)ad/dulpddselcseioe=tsll.sernG('eortnttRp,duest=iOaAdf_0aUr[p-ris)lPe]piemes_n)Fdspc=Et]lehorcM=on_rerAgwtttteIriosdLotkR_s)uyeef).p.nqie_g:ulxnreeeaos(cmutCuepLt)sIe.'E(e]N)xTe_cSuEtCeR(E)T,SCOPES)

On the first run, a browser will open asking for Google account authentication. After authentication, the token is saved to a file, and subsequent runs will authenticate automatically.

Adding a Member

b}soedryv''i=prcroe{el.fegesrr'or:uepd[sM{(e')mn.bamemeremK'be:eyr''s:MhEi{Mp'BsiE(dR)''.:}c]r',enaetwe-(upsaerre@netx=agmrpoluep._cnoamm'e},,body=body).execute()

Deleting a Member

Deletion requires the membership’s name (internal ID), so use the information obtained from the list retrieval.

#semrevmibceer.sghriopu_pnsa(m)e.miesmbtehreshviaplsu(e).odfelme[t'en(anmaem'e]=mfermobmertshheipl_insatmer)e.terxieecvuatle()

4. Bulk Replacement Implementation Example

In actual operations, bulk replacement of “deleting existing members and registering new members” is often needed. Below is an implementation example.

iN]#m#f#fmEeoopWGmDrAro_ebedrM'''telmristdeb}tetEuuureofeimorxMssscstilrmnadyctBeeeuhene'veeiy:eiErrrrisOci.wl''stpiemR123rpMmWocs=preitfleS@@@esEe=NnelmirormseeenMmEt.een{elveE'e=xxxt=Bb[Rigemfei.x4p:raaaEer'nrpbNescsc0ra[mmmmsRr[uo(eEr'ele9iipppeess'ieu0rWr:.ep'nslllmrhnnp.s_egetteeeebvoias5Md[rpii(...eitpmr#()EM{o(onfcccrchseo)Me'u0n"oooee.'lK.Bmnp.sAmmml.rg]eem#Ebas5atl'''igeseeRem()srr,,,srttf:pmRSre)(etoh(oba:K'.eeaua'roete:m:)dpnmwreye:yserns''m(Omehl:Mbe)WbiriiEex.Nenspm{MrimErsi'BsseRsm(tiEhtmh.)dRisbig.c''p:epedo:}srsteu]({s'(lne,)eh,'etm.mirteacap[oeriris]l(mlel()ene}a}):saa,t".'mse)l,eu(i=rps[meat][r()'ep]nnaatrm=eegn'rt]o=)ug.pre_oxnueapcm_uent,aem(be)o)d.ye=xbeocduyt)e.(e)xecute()

Notes

  • Rate limits: Sending too many requests in a short time may result in throttling. We recommend adding intervals with time.sleep()
  • OAuth token management: Access tokens are saved in token.pickle. Add it to .gitignore to avoid committing to Git
  • Client secret: Manage client_secret.json with similar caution
  • Scopes: The cloud-identity.groups scope includes both read and write. For read-only access, cloud-identity.groups.readonly can be used

The following articles are also helpful for managing Google Groups using the Cloud Identity Groups API.

ArticleAuthentication MethodContent
Operating Google Workspace Groups with Cloud Identity API (Qiita)Service account + Domain delegationGeneral group CRUD operations
Managing Google Group Membership with a Custom Python WrapperService account + Domain delegationPython wrapper implementation, adding members with expiration
GAS for Adding/Removing Members from Google Groups with Cloud IdentityOAuth (GAS)Implementation with Google Apps Script
Use the Google Cloud Identity API for Google Groups (Medium)Service account + Domain delegationComprehensive explanation in English
Google Official DocumentationAPI reference

Unlike the articles above, this article introduced a method that completes entirely with OAuth user authentication, without using service accounts or Domain-Wide Delegation. I hope this serves as a useful option for automating Google Groups member management in environments without admin privileges.

Summary

Even in environments without Google Workspace admin privileges, you can bulk manage members with owner/manager group permissions using the Cloud Identity Groups API. Since it completes with OAuth user authentication alone, there is no need to prepare service accounts or configure Domain-Wide Delegation.

The source code is published on the GitHub repository.