User in the cookie is not a valid Ads user

[Marketing Technology]

Hi there.

I am trying to connect with the Adwords API, using service account credentials, and I receive this error:

com.google.ads.googleads.v10.errors.GoogleAdsException: errors {
  error_code {
    authentication_error: NOT_ADS_USER
  }
  message: "User in the cookie is not a valid Ads user."
}
request_id: "FVch8JXeLpvz9JXo7V5sAg"

Using the same email, but with Oauth2 credentials, I can connect, but I need to connect as a service account, as I need to connect a microservice.

How could I fix it?

Thanks

[Marketing Technology]

Hi, thanks for the answer.

About Service Credentials, I think the only thing we didn't follow is using a Google Workspace Domain. I'll investigate about it, because we weren't using it.

About Oauth2, in our case, we want to send ourselves the information about all users once a day, with our calculations, so I guess the OAuth2 is not an option for us, right?

Or we may use it.

If I try to use Oauth2, I need to put the consent screen in prod mode, and they ask me to put a video in Youtube, and some staff that shouldn't apply to a microservice...

Other thing, I can't see the links you sent, login with this Google Account.

Thanks!

On Monday, 8 August 2022 at 14:30:07 UTC+2 adsapi wrote:

Hello,

Thank you for reaching out to us. Let me do the best I can to assist you in this.

I can see that you have received the NOT_ADS_USER error when you attempted to connect to the API. The NOT_ADS_USER error is encountered when the service account has not been correctly linked to the Google Ads account via the OAuth2 assertion flow. Please take note that the email address you may have used to generate the credentials should have access or be associated with Google Ads accounts. 

 

In order to connect to Google Ads API using a Google service account, you will need a Google Workspace domain since it is a prerequisite for using service accounts. Since you mentioned that you’re using service account credentials, could you confirm if you already followed all the mentioned requirements:

1. The service account that you created needs to be granted domain wide delegation access by a super administrator for the domain.
2. Using a Google Ads user with permissions on the Google Ads account you want to access. 
3. Make sure that you have your own domain registered with Google Workspace.
4. Service account will have the ability to impersonate any user in the domain

 

You may refer to this API documentation that discusses how to access the Google Ads API with service accounts. 

 

In addition, kindly note that, we strongly recommend using OAuth2 installed app or web flows instead of service accounts unless you need domain-specific features (for example, impersonation). OAuth2 installed application and web flows require user interaction only once, when access to the account is granted. You need to implement the code set up on your end to make calls using service accounts. 

Regards,

Teejay Wennie Google Ads API Team

 

ref:_00D1U1174p._5004Q2dIQUS:ref

[Marketing Technology]

Hi again.

It seems our company is not using Google Workspace Domain, and we are not planning to use it.

Is there a way to create authentication for a microservice without Google Workspace Domain?

Thanks!

[Google Ads API Forum Advisor]

Hi,

Thanks for getting back to us.

It appears that the link got broken while being sent due to system issues. However, you may please check the response sent from our end with valid links below:

“Hello,

Thank you for reaching out to us. Let me do the best I can to assist you in this.

I can see that you have received the NOT_ADS_USER error when you attempted to connect to the API. The NOT_ADS_USER error is encountered when the service account has not been correctly linked to the Google Ads account via the OAuth2 assertion flow. Please take note that the email address you may have used to generate the credentials should have access or be associated with Google Ads accounts. 

In order to connect to Google Ads API using a Google service account, you will need a Google Workspace domain since it is a prerequisite for using service accounts. Since you mentioned that you’re using service account credentials, could you confirm if you already followed all the mentioned requirements:

1. The service account that you created needs to be granted domain wide delegation access by a super administrator for the domain.
2. Using a Google Ads user with permissions on the Google Ads account you want to access. 
3. Make sure that you have your own domain registered with Google Workspace.
4. Service account will have the ability to impersonate any user in the domain

You may refer to this API documentation that discusses how to access the Google Ads API with service accounts. 

In addition, kindly note that, we strongly recommend using OAuth2 installed app or web flows instead of service accounts unless you need domain-specific features (for example, impersonation). OAuth2 installed application and web flows require user interaction only once, when access to the account is granted. You need to implement the code set up on your end to make calls using service accounts. “

With regards to your follow up questions, Please see below responses:

1) Is there a way to create authentication for a microservice without Google Workspace Domain?

•  To be honest there is no way to create authentication for a service account without Google Workspace Domain.

2) About Oauth2, in our case, we want to send ourselves the information about all users once a day, with our calculations, so I guess the OAuth2 is not an option for us, right? Or we may use it.

• We strongly suggest you use oauth authentication instead.

3) If I try to use Oauth2, I need to put the consent screen in prod mode, and they ask me to put a video in Youtube, and some staff that shouldn't apply to a microservice...

• yes you need to veiry your oauth2 for the production mode you can find more information on what needs to go into the video here.

 

Best regards,

Anthony Cyril Google Ads API Team

ref:_00D1U1174p._5004Q2dIQUS:ref

[Marketing Technology]

Hi Anthony.

Thanks for the response.

Then I think that our only choice at this point would be to try with OAuth2. 

But, what I don't understand is how are we using OAuth2 for a Microservice. I mean, when I create the OAuth2 credentials, it requires me to select between one between: Android, Chrome App, IOS, TV and desktop App. My application is a backend microservice, so none of these matches with what I want.

Also, when I prepare for verification the consent screen it requires me some staff focus in my users, when the only user I have, and the only user that will see this consent screen, is myself. 

Specially the Youtube video where I need to explain how will I use the scope in my app... It is totally focus in a front end application, which will have authorised users. What I am I suppose to record in this video, the Java code of my backend microservice?

I don't know if I am missing something.

Best regards,

[Google Ads API Forum Advisor]

Hi,

Thanks for getting back to us.

Kindly see below responses to your queries:

But, what I don't understand is how are we using OAuth2 for a Microservice. I mean, when I create the OAuth2 credentials, it requires me to select between one between: Android, Chrome App, IOS, TV and desktop App. My application is a backend microservice, so none of these matches with what I want.

>> Kindly note that there are two app type options for the Google Ads API:

1. Desktop apps
2. Web apps

 

You may consider to use Desktop apps as an option in your backend microservice. For more information, you may refer to this page.

Also, when I prepare for verification the consent screen it requires me some staff focus in my users, when the only user I have, and the only user that will see this consent screen, is myself. 

Specially the Youtube video where I need to explain how will I use the scope in my app... It is totally focus in a front end application, which will have authorised users. What I am I suppose to record in this video, the Java code of my backend microservice?

>> The document provided by my colleague explains what exactly needs to be recorded. You may check below:

• Please ensure that the YouTube link to a demo video demonstrates the OAuth grant process by users and explains the usage of sensitive and restricted scopes within the app’s functionality for each OAuth client belonging to the project.
• Note that the video must clearly show the app's details such as the app name, OAuth Client ID, etc. as applicable.
• The demo video must show usage of sensitive and restricted scopes on each client.
• Including the video along with the verification request will speed up the approval process significantly. Note that approval will not be granted if scope usage on each OAuth client ID is not adequately explained.
• Additionally, if any of your OAuth clients in the project requesting verification are not ready to be productionized, we will be unable to complete our review and your request will be rejected. We require that you separate your testing/development and production projects. Our teams will thoroughly review your apps.

For more information on OAuth verification, refer to below links:

• How to verify: OAuth API verification FAQs - Google Cloud Platform Console Help
• General information: Unverified apps - Google Cloud Platform Console Help

Regards,

Yasar Google Ads API Team

ref:_00D1U1174p._5004Q2dIQUS:ref