(Status(StatusCode="PermissionDenied", Detail="The caller does not have permission")) error when running C# examples

[CK]

Hi,

I followed the instructions here:

https://developers.google.com/google-ads/api/docs/first-call/overview

Got the oauth clientid and clientsecret, got the refresh token, but when I tried to run the GetCampaigns example. I got the error:

(Status(StatusCode="PermissionDenied", Detail="The caller does not have permission"))

I am currently using a test manager account. My app.config as follows:-

<?xml version="1.0" encoding="utf-8" ?>

<configuration>

  <configSections>

    <section name="GoogleAdsApi" type="System.Configuration.DictionarySectionHandler"/>

  </configSections>

  <GoogleAdsApi>

    <!-- Settings specific to Google Ads API.-->

    <add key="DeveloperToken" value="my-dev-token"/>

    <add key = "LoginCustomerId" value = "my-test-manager-id" />

    <!-- OAuth2 configuration -->

    <add key = "OAuth2Mode" value = "APPLICATION" />

    <add key = "OAuth2ClientId" value = "my-oauth-clientid" />

    <add key = "OAuth2ClientSecret" value = "my-oauth-client-secret />

    <add key = "OAuth2RefreshToken" value = "my-refresh-token"/>

  </GoogleAdsApi>

</configuration>

This is how I ran the example:

dotnet run --framework net5.0 V11.GetCampaigns --customerId xxxxxxxx

where xxxx is the client id that I have created under the test manager account (without dashes.)

How can I troubleshoot further? There don't seem to be anywhere I can grant permissions.

Thanks.

Regards

CK

[Google Ads API Forum Advisor]

Hi CK,

Thank you for reaching out to us.

With regards to encountered error PERMISSION_DENIED, note that you may receive the error ‘USER_PERMISSION_DENIED’ when a user doesn't have permission to access a customer and you’re accessing a client customer using 'login-customer-id’ in the request.

That being said, you will need to ensure that the user / email address you used to generate the credentials indeed has access to the account in your request. If the user / email address has access or is associated with the MCC / manager account, you will need to specify the MCC / manager account's ID without hyphens (-) as the value of the login-customer-id field.

However, for our team to validate this, could you please provide us the complete API logs (request and response logs with request ID) generated on your end? Note that this can be requested or provided to the developer handling the Google Ads API transactions when logging of the API requests has been enabled.

These are the specific guidelines to enable it.

• Java - https://developers.google.com/google-ads/api/docs/client-libs/java/logging
• .Net - https://developers.google.com/google-ads/api/docs/client-libs/dotnet/logging
• PHP - https://developers.google.com/google-ads/api/docs/client-libs/php/logging
• Python - https://developers.google.com/google-ads/api/docs/client-libs/python/logging
• Ruby - https://developers.google.com/google-ads/api/docs/client-libs/ruby/logging
• Perl - https://developers.google.com/google-ads/api/docs/client-libs/perl/logging

You may then send the requested information via the Reply privately to author option. If this option is not available, you may send the details directly to our googleadsa...@google.com alias instead.

Best regards,

Heidi Google Ads API Team

ref:_00D1U1174p._5004Q2egw0m:ref

[Ng Cheng Kiang]

Hi Heidi,

I added the email for the OAuth2 Client Id/Secret to the Ads Manager Test account, and now I have an exception error. 

I generated a new refresh token using the Ads Manager account and ran it again, but the exception is the same.

λ dotnet run --framework net5.0 V11.GetCampaigns --customerId xxxxxxxx
Requested: 'V11.GetCampaigns', Loaded: 'V11.GetCampaigns'.
This code example gets all campaigns. To add campaigns, run AddCampaigns.cs.
One or more errors occurred. (Status(StatusCode="Internal", Detail="Error starting gRPC call. TokenResponseException: Error:"invalid_request", Description:"Missing required parameter: refresh_token", Uri:""", DebugException="Google.Apis.Auth.OAuth2.Responses.TokenResponseException: Error:"invalid_request", Description:"Missing required parameter: refresh_token", Uri:""
   at Google.Apis.Auth.OAuth2.Responses.TokenResponse.FromHttpResponseAsync(HttpResponseMessage response, IClock clock, ILogger logger)
   at Google.Apis.Auth.OAuth2.Requests.TokenRequestExtenstions.ExecuteAsync(TokenRequest request, HttpClient httpClient, String tokenServerUrl, CancellationToken taskCancellationToken, IClock clock, ILogger logger)
   at Google.Apis.Auth.OAuth2.Flows.AuthorizationCodeFlow.FetchTokenAsync(String userId, TokenRequest request, CancellationToken taskCancellationToken)
   at Google.Apis.Auth.OAuth2.Flows.AuthorizationCodeFlow.FetchTokenAsync(String userId, TokenRequest request, CancellationToken taskCancellationToken)
   at Google.Apis.Auth.OAuth2.Flows.AuthorizationCodeFlow.RefreshTokenAsync(String userId, String refreshToken, CancellationToken taskCancellationToken)
   at Google.Apis.Auth.OAuth2.UserCredential.RefreshTokenAsync(CancellationToken taskCancellationToken)
   at Google.Apis.Auth.OAuth2.TokenRefreshManager.RefreshTokenAsync()
   at Grpc.Auth.GoogleAuthInterceptors.<>c__DisplayClass3_0.<<FromCredential>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Grpc.Net.Client.Internal.GrpcProtocolHelpers.ReadCredentialMetadata(DefaultCallCredentialsConfigurator configurator, GrpcChannel channel, HttpRequestMessage message, IMethod method, CallCredentials credentials)
   at Grpc.Net.Client.Internal.GrpcCall`2.ReadCredentials(HttpRequestMessage request)
   at Grpc.Net.Client.Internal.GrpcCall`2.RunCall(HttpRequestMessage request, Nullable`1 timeout)"))

I can confirm that the required refresh token is already in the app.config.

I followed the instructions for enabling the log, but only got a 0-byte log file. Might be due to the exception above.

What can I do to further troubleshoot this issue?

Thanks.

Regards

CK