PERMISSION_DENIED Error - User Doesn’t Have Permission to Access Client Account via API

[Developer Walkwel]

Hello Google Ads API Support,

I am encountering a persistent issue while trying to access a client customer account via the Google Ads API. Below are the details of the error and the steps I’ve taken to resolve it, but the issue remains unresolved.

Error Details:
```
Error: (<_InactiveRpcError of RPC that terminated with:
  status = StatusCode.PERMISSION_DENIED
  details = "The caller does not have permission"
  debug_error_string = "UNKNOWN:Error received from peer ipv4:142.250.187.234:443
  {created_time:"2024-08-20T00:10:36.47873777+00:00", grpc_status:7,
  grpc_message:"The caller does not have permission"}"
>, <_InactiveRpcError of RPC that terminated with:
  status = StatusCode.PERMISSION_DENIED
  details = "The caller does not have permission"
  debug_error_string = "UNKNOWN:Error received from peer ipv4:142.250.187.234:443
  {created_time:"2024-08-20T00:10:36.47873777+00:00", grpc_status:7,
  grpc_message:"The caller does not have permission"}"
>, errors {
  error_code {
    authorization_error: USER_PERMISSION_DENIED
  }
  message: "User doesn\'t have permission to access customer.
  Note: If you\'re accessing a client customer, the manager\'s customer id must be
  set in the \'login-customer-id\' header. See
  https://developers.google.com/google-ads/api/docs/concepts/call-structure#cid"
}
request_id: "kGR3SnwhTZWDx0f1SS54iA"
, 'kGR3SnwhTZWDx0f1SS54iA')
```

Actions Taken:
1. Set the `login-customer-id` header to the MCC (manager) account's customer ID when trying to access the client account.
2. Ensured that the user account associated with the API request has the necessary permissions to access both the manager and client accounts.
3. Verified the OAuth token has the correct scope (`https://www.googleapis.com/auth/adwords`).
4. Double-checked the **client customer ID** I am using in the request.
5. Verified that the client account is properly linked to the MCC account in the Google Ads interface.

Request Configuration:
- Manager (MCC) Customer ID: `<insert MCC Customer ID>`
- Client Customer ID: `<insert Client Customer ID>`
- OAuth Scope: `https://www.googleapis.com/auth/adwords`
- API Request Type: `<insert the API endpoint or query used>`

Despite following all of the steps mentioned in the API documentation, I continue to receive the PERMISSION_DENIED error. I would greatly appreciate further assistance in troubleshooting this issue.

Could you please review the error or provide any additional guidance on what might be going wrong? Is there any specific permission setting or API configuration I am missing?

Thank you for your help!

Best regards

[Google Ads API Forum Advisor]

Hi,

Thank you for reaching out to the Google Ads API support team.

I could see that you are encountering a USER_PERMISSION_DENIED authorization error, it means the user doesn't have permission to access the customer. According to the documentation, if you're accessing the customer, please specify the login-customer-id as the manager account ID without hyphens (-). Also, kindly check if you have the correct access level to the Google Ads account that you are accessing. Kindly note that only error logs are not sufficient to assist you.

To analyze your issue further could you kindly provide us with the below details.

• Execute List Accessible Customers and provide us complete API request and response logs, you may also check this API documentation for more information.
• The user email is used for generating the OAuth credentials i.e, refresh token.
• Complete API logs (request and response with request-id and request header) generated at your end.

If you are using a client library and haven't enabled the logging yet, I would request you to enable logging for the specific client library that you are using. You can refer to the guides Java, .Net, PHP, Python, Ruby or Perl to enable logging at your end. For REST interface requests, you can enable logging via the curl command by using the -i flag.

You can send the details via Reply privately to the author option, or direct private reply to this email.
 

This message is in relation to case "ref:!00D1U01174p.!5004Q02vGLWz:ref" (ADR-00268747)

Thanks,
 

Google Ads API Team

[Developer Walkwel]

Hi

Here is the information you requested:
Customer IDs: 6031131558, 3682675394, 1327857499, 7627068296, 9604076790, 8995827941, 8068169535, 3498279900
Client ID: 1000434119396-339j164s0u76nopod9g67upidb48qsc0.apps.googleusercontent.com
MCC Client ID: 7588864995
Developer Token: SrbSEzImJXJCTKe7EumqAw

 

Here is the cURL request that I made:

curl --location 'https://googleads.googleapis.com/v17/customers/5169753570/googleAds:search' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer ya29.a0AcM612y1gzcJFzWnFZ56Ns2TSQ2lMNKj8NMJBDCeuGfnFJfiXUlUYxMEaefqVSSfTRKjREwZcgB_Fymp1dU1ZoGxPmNL-8Ywim1Ebx-3akGShUoF1BnB1-adbX0oF2S9eVpJFUm2jx9-Q2ihRE3BmKalmhydOsfG0xynsMegKHYaCgYKAd8SARASFQHGX2MiXJItx4at6_GSDlSav4AlRw0178' \
--header 'developer-token: SrbSEzImJXJCTKe7EumqAw' \
--header 'login-customer-id: 7588864995' \
--data '{
    "query": "SELECT customer_client.client_customer FROM customer_client"
  }'

Here is the response from the above request:

{
    "error": {
        "code": 403,
        "message": "The caller does not have permission",
        "status": "PERMISSION_DENIED",
        "details": [
            {
                "@type": "type.googleapis.com/google.ads.googleads.v17.errors.GoogleAdsFailure",
                "errors": [
                    {
                        "errorCode": {
                            "authorizationError": "USER_PERMISSION_DENIED"
                        },
                        "message": "User doesn't have permission to access customer. Note: If you're accessing a client customer, the manager's customer id must be set in the 'login-customer-id' header. See https://developers.google.com/google-ads/api/docs/concepts/call-structure#cid"
                    }
                ],
                "requestId": "PbbpudCOzjEILROzAkbmPQ"
            }
        ]
    }
}

Here is the simple code that I use to fetch customer data:

 

from google.ads.googleads.client import GoogleAdsClient

 

# Replace with your actual credentials (avoid sharing sensitive info)
credentials = {
    "client_id": "1000434119396-339j164s0u76nopod9g67upidb48qsc0.apps.googleusercontent.com",
    "client_secret": "*********************************",
    "login-customer-id": 7588864995,
    "refresh_token": "*******************************************",
    "developer_token": "SrbSEzImJXJCTKe7EumqAw",
    "use_proto_plus": True
}

# Initialize the client
client = GoogleAdsClient.load_from_dict(credentials)

# Get the service
googleads_service = client.get_service("GoogleAdsService")

# Set the customer ID for the query
customer_id = "5169753570"  # Use string format

# Query to list all accounts managed by the MCC
query = """
    SELECT
        customer_client.client_customer,
        customer_client.level
    FROM
        customer_client
"""

try:
    # Use the MCC ID here to list all client accounts
    response = googleads_service.search_stream(customer_id=customer_id, query=query)

    for batch in response:
        for row in batch.results:
            print(f"Client Customer ID: {row.customer_client.client_customer}, Level: {row.customer_client.level}")
except Exception as e:
    print(f"Error: {e}")

[Google Ads API Forum Advisor]

Hi,

Please provide us with the earlier requested, the user email that is used for generating the OAuth credentials i.e, refresh token.