Service Account Auth Error - NOT_ADS_USER
Vlad
- The service account that you created needs to be granted domain wide delegation access by a super administrator for the domain.
- Using a Google Ads user with permissions on the Google Ads account you want to access.
- Make sure that you have your own domain registered with Google Workspace.
- Service account will have the ability to impersonate any user in the domain
Google Ads API Forum Advisor
Hi Vlad,
Thank you for reaching out to us.
Moving forward to this, “I do have all of them set up, however, I'm not sure about the last one. I granted an access for the Ads manager account to have an access to the service account in the Google Console - how I can configure the impersonation?”
- Because user impersonation is controlled only at the domain level, using service accounts and assertion flow with Google OAuth2 requires you to have your own domain registered with Google Workspace. Your app and its users can then impersonate any user in the domain.
- Start by creating a service account and credentials.
- Download the service account key in JSON format and note the service account ID.
- Share the service account ID and the Google Ads API scope (https://www.googleapis.com/auth/adwords) with your domain administrator.
- Request the domain administrator to delegate domain-wide authority to your service account.
- If you are the domain administrator, complete the help center instructions.
You can now use the service account to access your Google Ads account with the OAuth2 assertion flow.
You may check this section (https://developers.google.com/google-ads/api/docs/oauth/service-accounts?hl=en#service_account_access_setup) of the document for more information.
Moving forward to NOT_ADS_USER error, yes, it is indeed means that the Google account used to generate the access token is not associated with any Google Ads account. The login information provided corresponds to a Google account that does not have Google Ads enabled. To handle this, Make sure to sign in with a valid Google Ads account (typically your manager account) for the OAuth flow. You can also invite the Google account to access an existing Google Ads account by signing in to your manager account, selecting the customer or manager account in question, navigating to Tools and Settings > Access and security, then adding the Google account email address.
Let me know if you have further questions.
Thanks,
 |
Google Ads API Team |
Vlad
Google.Ads.GoogleAds.Config.GoogleAdsConfig config = new()
{
DeveloperToken = _config.DeveloperToken, // developer token set up for the manager account
OAuth2SecretsJsonPath = GetCertFilePath(), // path to the service account credentials JSON
OAuth2PrnEmail = "maintenance@######.#####.###.com", // service account email
OAuth2Mode = Google.Ads.Gax.Config.OAuth2Flow.SERVICE_ACCOUNT,
LoginCustomerId = "381-072-4097".Replace("-", ""), // manager account customer id
};
ConversionUploadServiceClient conversionUploadService = client.GetService(Services.V13.ConversionUploadService);
{
Gclid = googleClickId, // google click ID captured from Google Ad
ConversionAction = action.GetDescription(),
ConversionDateTime = DateTime.Now.ToString("yyyy-mm-dd hh:mm:sszzz")
await conversionUploadService.UploadClickConversionsAsync(
new UploadClickConversionsRequest()
{
CustomerId = "465-336-9523".Replace("-", ""), // Client Google Ads account customer ID which I want to upload conversion for
PartialFailure = true,
ValidateOnly = false
});
Google Ads API Forum Advisor
Hi Vlad,
Thank you for the reply.
Kindly note that the NOT_ADS_USER error (https://developers.google.com/google-ads/api/docs/best-practices/common-errors#authenticationerror) is one of the common authorization errors encountered when the service account has not been correctly linked to the Google Ads account via the OAuth2 assertion flow. Kindly note that you need to use the actual email address of the Google Ads user with permissions on the Google Ads account you want to access. You may check the guide on how to set up OAuth2 for API access using your own credentials with a service account in the client library you are using here: https://developers.google.com/google-ads/api/docs/oauth/service-accounts?hl=en#client_library_configuration
This error typically means that the email address used to create your OAuth credentials in Google Cloud Console is not associated with any Google Ads account. See this section in our Common Errors (https://developers.google.com/google-ads/api/docs/best-practices/common-errors#authenticationerror) guide.
If you know the email address that was used to create your OAuth credentials, you should be able to log into the Google Ads UI and send it an invitation by following the instructions in the guide I linked to above.
You may also need to enable the Google Ads API in your Google Cloud project by following the steps here (https://developers.google.com/google-ads/api/docs/first-call/oauth-cloud-project).
If you are still encountering errors after considering all the mentioned information above, you may provide us with the user account / email address that you used to generate API access so we can further check this information. You may then send the requested information via the Reply privately to author option. If this option is not available, you may send the details directly to our googleadsa...@google.com alias instead.
In addition, we strongly recommend using OAuth2 installed app or web flows (https://developers.google.com/google-ads/api/docs/oauth/cloud-project#choose_an_application_type) instead of service accounts unless you need domain-specific features (for example, impersonation). OAuth2 installed application and web flows require user interaction only once, when access to the account is granted. You need to implement the code set up on your end to make calls using service accounts.