@David的答案使我走上了正确的轨道，但是在使用服务帐户时遇到了一些问题.

@David answer got me on the right track, but I had some problems with using a service account.

我决定使用服务帐户和模拟API，请注意，这将为您的应用程序提供非常高的访问权限，并显着提高安全性！

I decided to use service account and impersonation API, beware that this gives a very high level of access to your applicaiton and raises the security bar consideably!

无论如何，这是您需要做的:

Anyways, here is what you need to do:

按照本教程进行操作，但是当设置凭据创建服务帐户

Follow this tutorial, but when setting up credentials create a service account

这是页面的重要内容:

(...)，您可以在开发人员中自行激活Admin SDK 通过执行以下操作进行控制台:

(...) you can activate the Admin SDK yourself in the Developers Console by doing the following:

• 转到Google Developers Console.
• 选择一个项目，或创建一个新项目.
• 在左侧的边栏中，展开APIs&授权接下来，单击API.在API列表中，确保Admin SDK的状态为开".
• 在左侧的边栏中，选择凭据".
• 无论哪种情况，您都将进入凭据"页面，并可以从此处创建项目的凭据.

• Go to the Google Developers Console.
• Select a project, or create a new one.
• In the sidebar on the left, expand APIs & auth. Next, click APIs. In the list of APIs, make sure the status is ON for the Admin SDK.
• In the sidebar on the left, select Credentials.
• In either case, you end up on the Credentials page and can create your project's credentials from here.

如果还没有这样做，请通过以下方式创建OAuth 2.0凭据: 点击OAuth标题下的创建新的客户端ID.接下来，寻找 您的应用程序的客户ID和客户机密在相关表中 您也可以从此页面创建和编辑重定向URI.

If you haven't done so already, create your OAuth 2.0 credentials by clicking Create new Client ID under the OAuth heading. Next, look for your application's client ID and client secret in the relevant table You may also create and edit redirect URIs from this page.

域范围内的授权

使用本指南对您的代码执行域范围的授权..

1. 转到您的Google Apps域的管理控制台.
2. 从控件列表中选择安全性".如果您未看到安全性"列表，请从底部的灰色栏中选择更多控件. 页，然后从控件列表中选择安全性".
3. 从选项列表中选择高级设置".
4. 在身份验证"部分中选择管理第三方OAuth客户端访问权限".
5. 在客户名称"字段中输入服务帐户的客户ID.
6. 在一个或多个API范围"字段中，输入应授予您的应用程序访问权限的范围列表(请参见下图).为了 如果您需要在域范围内访问Google Drive API和 Google Calendar API输入: https://www.googleapis.com/auth/drive ， https://www.googleapis.com/auth/calendar 单击授权按钮.

1. Go to your Google Apps domain’s Admin console.
2. Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls.
3. Select Advanced settings from the list of options.
4. Select Manage third party OAuth Client access in the Authentication section.
5. In the Client name field enter the service account's Client ID.
6. In the One or More API Scopes field enter the list of scopes that your application should be granted access to (see image below). For example if you need domain-wide access to the Google Drive API and the Google Calendar API enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar Click the Authorize button.

请注意，您需要在第5步中提供Client ID而不是Email Address.

Please note that you'll need to provide Client ID not Email Address in step 5.

请参见范围列表.

安装google-api-python-client，将PyCrypto设置为PyOpenSSL(您可以省略PyOpenSSL)，但是随后您需要转换下载的证书.

Install google-api-python-client, PyCrypto an PyOpenSSL (you may omit PyOpenSSL), but then you'll need to convert downloaded certificate.

with open('private/key-filename.p12', 'rb') as f:
    private_key = f.read()

credentials = SignedJwtAssertionCredentials(
   'user-email-@developer.gserviceaccount.com', # Email address [1]
   private_key,
   'https://www.googleapis.com/auth/admin.directory.user',
   sub="impersonated-user@foo.bar" # Impersonate user [2])

• 1 是服务帐户电子邮件地址，并且 2 是 admin 的现有地址.您域中的坚强"用户.从现在开始，将使用此命令执行API采取的所有操作(标记为 2 )用户授权和凭证.
• 请注意， 1 包含步骤5中的服务帐户>(与客户ID不同).
• Where 1 is an service account e-mail address, and 2 is an already existing address of admin user in your domain. From now on all actions taken by the API will be performed using this (marked by 2) user authorisation and credentials.
• Note that 1 contains Email Address of Service account (this is different from Client ID) in step 5.

现在，您应该具有对API的读写帐户.

Now you should have read-write account to your API.