Problem with permissions and test accounts

99 views
Skip to first unread message

Joakim Vindgard

unread,
Sep 7, 2021, 6:08:07 PM9/7/21
to AdWords API and Google Ads API Forum
Hi!

I am trying to make a request to the GoogleAds API to populate target audience lists. (https://developers.google.com/google-ads/api/docs/remarketing/audience-types/customer-match)

My issue is regarding permissions. 

We have our main Google Ads Manager account where all our ad data lives. To create a test account we followed the instructions here (https://developers.google.com/google-ads/api/docs/first-call/overview#test_account)

I also: 

- Created `clientId`, `clientSecret`, `refreshToken` and `developerToken` using data from our MAIN account.
- Created a new separate Google Ads Manager account and it is a "Test account". This is separate from our MAIN account and is not linked to the MAIN account.

And I have written a piece of PHP code that successfully creates the googleAdsClient but when I try to create a `Customer Match list` I get the following error. And according to the error message I have set the `login-customer-id` to ur MAIN account id in the request.

I am stuck and I cant understand why. Any advise would be welcome. 

Let me know if you need any more info regarding accounts etc.

```
ApiException was thrown with message '{
    "message": "The caller does not have permission",
    "code": 7,
    "status": "PERMISSION_DENIED",
    "details": [
        {
            "@type": 0,
            "data": "type.googleapis.com\/google.ads.googleads.v8.errors.GoogleAdsFailure"
        },
        {
            "@type": 0,
            "data": [
                {
                    "errorCode": {
                        "authorizationError": "USER_PERMISSION_DENIED"
                    },
                    "message": "User doesn't have permission to access customer. Note: If you're accessing a client customer, the manager's customer id must be set in the 'login-customer-id' header. See https:\/\/developers.google.com\/google-ads\/api\/docs\/concepts\/call-structure#cid"
                }
            ]
        },
        {
            "@type": 0,
            "data": "QRzt-xxkVAOMLYoDI_7gYA"
        }
    ]
}'.
```

```
<?php

use Google\Ads\GoogleAds\Lib\AbstractGoogleAdsBuilder;
use Google\Ads\GoogleAds\Lib\Configuration;
use Google\Ads\GoogleAds\Lib\OAuth2TokenBuilder;
use Google\Ads\GoogleAds\Lib\V8\GoogleAdsClientBuilder;
use Google\Ads\GoogleAds\Lib\V8\GoogleAdsException;
use Google\Ads\GoogleAds\V8\Common\CrmBasedUserListInfo;
use Google\Ads\GoogleAds\V8\Enums\CustomerMatchUploadKeyTypeEnum\CustomerMatchUploadKeyType;
use Google\Ads\GoogleAds\V8\Errors\GoogleAdsError;
use Google\Ads\GoogleAds\V8\Resources\UserList;
use Google\Ads\GoogleAds\V8\Services\GoogleAdsRow;
use Google\Ads\GoogleAds\V8\Services\UserListOperation;
use Google\ApiCore\ApiException;
use Google\Auth\CredentialsLoader;
use Google\Auth\OAuth2;
use Symfony\Component\Console\Helper\Helper;

require_once __DIR__.'/base.inc.php';
require_once __DIR__ . '/../config/config.inc.php';


function formatClientId(string $id) {
    return str_replace('-', '', $id);
}

$testAccountId = (int) formatClientId('[REMOVED]');
$mainAccountId = (int) formatClientId('[REMOVED]');

$configuration = new Configuration([
    'OAUTH2' => [
'clientId' => '[REMOVED]',
'clientSecret' => '[REMOVED]',
'refreshToken' => '[REMOVED]'
    ],
    'GOOGLE_ADS' => [
    'developerToken' => '[REMOVED]'
    ]
]);


// Generate a refreshable OAuth2 credential for authentication.
$oAuth2Credential = (new OAuth2TokenBuilder())
    ->from($configuration)
    ->build();

// Construct a Google Ads client configured from a properties file and the
// OAuth2 credentials above.
$googleAdsClient = (new GoogleAdsClientBuilder())
    ->from($configuration)
    ->withOAuth2Credential($oAuth2Credential)
    ->withLoginCustomerId($mainAccountId)
    ->build();

try {

    // Creates the user list.
    $userList = new UserList([
        'name' => 'Customer Match list #' . hrtime(true),
        'description' => 'A list of customers that originated from email '
            . 'and physical addresses',
        // Customer Match user lists can use a membership life span of 10000 to
        // indicate unlimited; otherwise normal values apply.
        // Sets the membership life span to 30 days.
        'membership_life_span' => 30,
        'crm_based_user_list' => new CrmBasedUserListInfo([
            'upload_key_type' => CustomerMatchUploadKeyType::CONTACT_INFO
        ])
    ]);

    // Creates the user list operation.
    $operation = new UserListOperation();
    $operation->setCreate($userList);

    // Issues a mutate request to add the user list and prints some information.
    $userListServiceClient = $googleAdsClient->getUserListServiceClient();
    $response = $userListServiceClient->mutateUserLists($testAccountId, [$operation]);
    $userListResourceName = $response->getResults()[0]->getResourceName();
    printf("User list with resource name '%s' was created.%s", $userListResourceName, PHP_EOL);
} catch (GoogleAdsException $googleAdsException) {
    printf(
        "Request with ID '%s' has failed.%sGoogle Ads failure details:%s",
        $googleAdsException->getRequestId(),
        PHP_EOL,
        PHP_EOL
    );
    foreach ($googleAdsException->getGoogleAdsFailure()->getErrors() as $error) {
        /** @var GoogleAdsError $error */
        printf(
            "\t%s: %s%s",
            $error->getErrorCode()->getErrorCode(),
            $error->getMessage(),
            PHP_EOL
        );
    }
    exit(1);
} catch (ApiException $apiException) {
    printf(
        "ApiException was thrown with message '%s'.%s",
        $apiException->getMessage(),
        PHP_EOL
    );
    exit(1);
}

die(var_dump($userListResourceName));

```

Google Ads API Forum Advisor

unread,
Sep 8, 2021, 5:55:47 AM9/8/21
to joakim....@gents.com, adwor...@googlegroups.com

Hi,

Thanks for reaching out to us.

In order to avoid the Permission_denied error, you will need to ensure that the user / email address you used to generate the credentials indeed has access to the account in your request. If the user / email address has access or is associated to the MCC / manager account, you will need to specify the said MCC / manager account's ID as the value of the login-customer-id field.

If the issue persists, could you please share the following information via the Reply privately to author option or directly to our googleadsa...@google.com alias, so that our team can take a closer look?

  • Customer ID
  • Provide us the user / email address it was you used when you generated your credentials
  • Provide us the complete request and response logs with the request-id

If you haven’t enabled logging yet, logging can be enabled by navigating to the Client libraries > Your client library (ex. PHP) > Logging documentation, which you can access from this link

Regards,

Google Logo
Yasar
Google Ads API Team
 


ref:_00D1U1174p._5004Q2NSDeu:ref
Reply all
Reply to author
Forward
0 new messages