Better errors that call out scope / permission errors #1795
Description
Today if GAM is missing an API scope or admin privilege it may throw a generic error like "permission denied". If the GAM command is making numerous API calls.
For instance gam print policy calls Cloud Identity Policy API AND calls orgunits.get() and groups.get() to get more info on the OUs and Group unique IDs returned by policy API. If the policy list succeeds but then we get an error on the later calls GAM just throws a generic permission errors that leaves the admin with no clue about what permission or scope was missing.
A couple things:
- If an API call is attempted but GAM doesn't have the API scope needed then a special header is returned in the Google Server response that specifics which scope was missing. It'd be awesome if GAM could parse this info and provide the admin with a helpful error that tells them which scope they need to authorize.
- If it's a more generic permission denied error that's related to the Google user's admin privileges, it may help the admin to understand what GAM was trying to do when it got the error. For example, an error like:
ERROR: permission denied calling groups.get()
is far more informative to the admin than throwing a generic permission denied on a complex command that's hitting multiple Google APIs (some of which are non-obvious that they are necessary for the current command).
Of course Google APIs return dozens (hundreds?) of different error messages across APIs and services so a 100% solution may prove challenging here but any additional context we can provide admin may help them to solve the issue themselves w/o needing community or Ross/Jay support.
@taers232c FYI