Oauth2 with Test Service Account

[nick.h...@agiletalentpool.com]

I am trying to retrieve campaign data using a test adwords service account via the Java client library. Despite being able to obtain a refresh token the actual call to the CampaignService class throws exception with error code:

[AuthenticationError.NOT_ADS_USER @ ; trigger:'<null>']

My setup is the following:

1. I have a production MCC Account set on prod_mc...@domain.com. On this account, from Google Developer Console, I have created a new project and then requested a developer token for this account which is currently in status "Pending approval". I created a new Client ID from Google Developer Console > API & auth > Credentials > OAuth2 and specified "Service Account" for its type.  

2. I have created a secondary test MCC Account on test_mc...@domain.com. Just like before I created a new project from Google Developer Console and created a new Client ID and selected the Service Account Type. In Google Adwords page, under Accounts, I've added a new test AdWords account under the test MCC account. This test AdWords account does not have its own email (as does the test MCC Account) but is linked under the test MCC account. 

3. I have added a dummy campaign for the test AdWords account (the one linked under the test MCC account).

4. I have downloaded the private key file for the test MCC Account.

The code that I am using to get the refresh Token is this:

      GoogleCredential credential = new GoogleCredential.Builder()

     .setTransport(httpTransport)

          .setJsonFactory(JSON_FACTORY)

          .setServiceAccountId(TEST_MCC_ACCOUNT_CLIENT_EMAIL)

          .setServiceAccountScopes(Collections.singleton("https://www.googleapis.com/auth/adwords"))

          .setServiceAccountPrivateKeyFromP12File(new File(TEST_MCC_ACCOUNT_P12_FILE))

          .build();

       credential.refreshToken();

      

      return credential;

The refresh token is retrieved with no errors (I can't tell though whether it's indeed the correct refresh token).

With this refresh token I'm running the following code to retrieve the campaign:

      

       AdWordsSession session = new AdWordsSession.Builder()

     .withDeveloperToken(DEVELOPER_TOKEN_OF_PROD_MCC_ACCOUNT)

     .withUserAgent(PROJECT_ID_IN_TEST_MCC_ACCOUNT)

     .withOAuth2Credential(credential)

     .build();

      AdWordsServices adWordsServices = new AdWordsServices();

      

      CampaignServiceInterface campaignService = adWordsServices.get(session, CampaignServiceInterface.class);

      // Create selector.

      Selector selector = new Selector();

      selector.setFields(new String[] {"Id", "Name"});

      // Get all campaigns.

      CampaignPage page = campaignService.get(selector);

The last line, however throws the exception which I've mentioned:

Exception in thread "main" AxisFault

 faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server

 faultSubcode: 

 faultString: [AuthenticationError.NOT_ADS_USER @ ; trigger:'&lt;null&gt;']

 faultActor: 

 faultNode: 

 faultDetail: 

{https://adwords.google.com/api/adwords/cm/v201506}ApiExceptionFault:<message>[AuthenticationError.NOT_ADS_USER @ ; trigger:'&lt;null&gt;']</message><ApplicationException.Type>ApiException</ApplicationException.Type><errors xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AuthenticationError"><fieldPath/><trigger>&lt;null&gt;</trigger><errorString>AuthenticationError.NOT_ADS_USER</errorString><ApiError.Type>AuthenticationError</ApiError.Type><reason>NOT_ADS_USER</reason></errors>

[AuthenticationError.NOT_ADS_USER @ ; trigger:'<null>']

One variation which I have tried is to create a third AdWords account, which has an email address (test_adwo...@domain.com) associated to it, link it under the test MCC Account, and change the code which creates the credential to include the call to setServiceAccountUser("test_adwo...@domain.com"). In this case the call to credential.refreshToken() fails with an error message "401 Unauthorized". I've also tried using setServiceAccountUser("test_mc...@domain.com").

I'm not sure what the problem might be, whether there's an issue with the way the account hierarchy is structured, whether there's something missing from the accounts themselves or whether it's even possible to use a test service account to retrieve data. Some help would be greatly appreciated.

 

[Danial Klimkin]

Hello Nick,

First of all, you don't need two project IDs for test and prod setup, project ID is per application so you can use the same one. It also doesn't need to belong to the same account as any MCC (but is can).

Second, I strongly recommend against using service accounts. It has very limited benefits comparing to normal flow and requires you to be a domain administrator.

As per error, you have authorized with a login that doesn't have an AdWords account associated with it. Make sure your key (or refresh token) belongs to the correct account (test MCC) and you specify clientCustomerId properly. The latter needs to be a target test account (not MCC) ID.

-Danial, AdWords API Team. 

One variation which I have tried is to create a third AdWords account, which has an email address (test_adwo...@domain.com) associated to it, link it under the test MCC Account, and change the code which creates the credential to include the call to setServiceAccountUser("test_adword...@domain.com"). In this case the call to credential.refreshToken() fails with an error message "401 Unauthorized". I've also tried using setServiceAccountUser("test_mcc_...@domain.com").

[nick.h...@agiletalentpool.com]

Hello Danial,

Thanks for your prompt reply.

"It also doesn't need to belong to the same account as any MCC (but is can)"

1. I'm a little confused by what the account setup should be following this remark. My aim is to create a set-up that enables a test service account to retrieve campaign data. According to the documentation, the project created on Google Developer Console 
"is a collection of settings, credentials, and metadata about the application or applications you're working on that make use of Google Developer APIs and Google Cloud resources", so it does make sense to have a single Project ID for multiple applications which make access of Google Developer API. 

What I do not understand though is how is the association / link between the Google Developer Console and the (MCC or non-MCC) account on Google AdWords made? All they have in common is the Google Account on which they have been set up. For other API endpoints, I've noticed one can enable them from the Enable APIs section of GDC, but there's nothing like that for AdWords.

2. Could you give me an example of an account set-up for a test example using an Service Account? I'm only interested in the hierarchical structure. 

3. Should the client customer ID be the 10 digits one displayed under an AdWords account?

My apologies if all these seem like basic questions but it's my first time using AdWords and I'm trying to understand how it works rather than just find the fix. 

Many thanks,

Nick.

[Danial Klimkin]

Hello Nick,

1. Exactly my point. There is no link. AdWords API is different from other APIs managed via the developer console and not controlled from there.

2. Is there any reason you really want to use service accounts? Do you administer a Google Apps domain?

3. Correct.

-Danial, AdWords API Team. 

[John Reynolds]

I know this thread is old, but have a similar request.

We do Administer our Google Apps domain and would prefer to have this all linked back to it.

I setup the Service Account in the developer console and downloaded the JSON. That all seems to load fine. Per the documentation, inside the G Suite console, I have entered our Client ID (the long number from the JSON file downloaded via the dev console) and "https://www.googleapis.com/auth/adwords" for the Client Name field.

When I try to connect, I get the same "AuthenticationError.NOT_ADS_USER" error.

I am creating the credential, as follows, from the sample code:

// Generate a refreshable OAuth2 credential.
Credential oAuth2Credential = new OfflineCredentials.Builder()
        .forApi(OfflineCredentials.Api.ADWORDS)
        .fromFile()
        .build()
        .generateCredential();

My understanding is it should pull everything from the JSON file, referenced in the ads.properties file.

There are three rows in that ads.properties file:

api.adwords.jsonKeyFilePath=src/main/resources/{{json-file}}
api.adwords.developerToken={{our developer token from Adwords}}
api.adwords.clientCustomerId={{our MCC account #}}

Any guidance on what piece I might be missing here would be super helpful. Understandably, the documentation isn't great for Service Accounts, but for those of us using them, having a clear cut example to follow as to which properties/keys/etc are required, would be great.

Thanks in advance for any assistance!

-John R

[Anash P. Oommen (AdWords API Team)]

Hi John,

Looks like you reported this issue? https://github.com/googleads/googleads-java-lib/issues/122

Could you follow up on that issue tracker? I've talked to the Java library owner and he is aware of it. He will work with you over the issue tracker thread.

Cheers

Anash P. Oommen,
AdWords API Advisor.

[John Reynolds]

Perfect. Thanks. I have a workaround in place now, but think that issue would provide some added benefit to the library for future users that run into the same issue. May even need to be something kicked over to the OAuth2 team.

Appreciate the reply.

Thanks!

John