Insufficient permissions
1,342 views
Skip to first unread message
Grant Hardy
Dec 15, 2021, 2:27:44 AM12/15/21
to got-yo...@googlegroups.com
I am having a lot of trouble setting up GYB.
The create project worked okay. I got a Google Cloud project, set it to external, then added myself as a test user and went through the setup screens for the project. I then added an oAuth client as instructed, picked desktop app for the type, entered GYB as the name, and copied the client ID and secret into GYB. All good.
Then tried this command: gyb —email my email —action estimate
Granted all the permissions as requested and it brought up an authorization screen from Google that clearly shows that I am giving GYB full access to my Gmail account. I hit allow, copied the secret into GYB, and immediately got a “400, no permission” error.
Went back into my project, edited it to allow it to access every single API there is, ran the revoke command and tried again. Same “no permissions” error”.
Tried deleting the oAuth client and recreating it, but now GYB isn’t prompting for me to re-authorize with the new secret and ID, even after revoking.
What the heck do I do??
Grant Hardy
The create project worked okay. I got a Google Cloud project, set it to external, then added myself as a test user and went through the setup screens for the project. I then added an oAuth client as instructed, picked desktop app for the type, entered GYB as the name, and copied the client ID and secret into GYB. All good.
Then tried this command: gyb —email my email —action estimate
Granted all the permissions as requested and it brought up an authorization screen from Google that clearly shows that I am giving GYB full access to my Gmail account. I hit allow, copied the secret into GYB, and immediately got a “400, no permission” error.
Went back into my project, edited it to allow it to access every single API there is, ran the revoke command and tried again. Same “no permissions” error”.
Tried deleting the oAuth client and recreating it, but now GYB isn’t prompting for me to re-authorize with the new secret and ID, even after revoking.
What the heck do I do??
Grant Hardy
Jay Lee
Dec 15, 2021, 6:34:02 AM12/15/21
to Got Your Back: Gmail Backup
Can you post a screenshot of the error? Can you also try running with --debug ?
--
--
You received this message because you are subscribed to the Google
Groups "Got Your Back: Gmail Backup" group.
To post to this group, send email to got-yo...@googlegroups.com
To unsubscribe from this group, send email to
got-your-bac...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/got-your-back?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "Got Your Back: Gmail Backup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to got-your-bac...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/got-your-back/E5DA6FB4-9999-49E1-AEFB-47139987633A%40gmail.com.
Grant Hardy
Dec 15, 2021, 10:19:03 PM12/15/21
to got-yo...@googlegroups.com
Here’s the output of Terminal, personal info redacted. Note: before creating the oAuth screen I had to provide some info for my project on the Google website. I made sure to add myself as a test user, and grant the project access to every single API in the “add scopes” screen. Also in the last step, right before I get the error, GYB asks for permission to connect to my Gmail account and I can see that it’s getting permission to compose, read, and permanently delete all my Email. So everything looks good…but then this happens:
Last login: Wed Dec 15 18:54:25 on ttys000
grant@Grants-MacBook-Pro ~ % ~/gyb/gyb --action create-project --email mye...@gmail.com
Go to the following link in your browser:
Enter verification code: blahblah
Creating project "Got Your Back Project"...
Checking project status...
enabling API drive.googleapis.com...
enabling API gmail.googleapis.com...
enabling API groupsmigration.googleapis.com...
enabling API iap.googleapis.com...
enabling API vault.googleapis.com...
Creating Service Account
Setting project consent screen...
Please go to:
1. Enter "GYB" for "Application name".
2. Leave other fields blank. Click "Save" button.
3. Choose "Desktop app". Enter a desired value for "Name". Click the blue "Create" button.
4. Copy your "client ID" value.
Enter your Client ID: blahblah
Now go back to your browser and copy your client secret.
Enter your Client Secret: blahblah
That's it! Your GYB Project is created and ready to use.
grant@Grants-MacBook-Pro ~ % ~/gyb/gyb --email mye...@gmail.com --action estimate
Select the actions you wish GYB to be able to perform for mye...@gmail.com
[ ] 0) Gmail Backup And Restore - read/write mailbox access
[ ] 1) Gmail Backup Only - read-only mailbox access
[ ] 2) Gmail Restore Only - write-only mailbox access and label management
[*] 3) Gmail Full Access - read/write mailbox access and message purge
[ ] 4) No Gmail Access
[*] 5) Groups Restore - write to G Suite Groups Archive
[*] 6) Storage Quota - Drive app config scope used for --action quota
7) Continue
7
Go to the following link in your browser:
Enter verification code: blahblah
Using backup folder GYB-GMail-Ba...@gmail.com
403: Insufficient Permission - insufficientPermissions
grant@Grants-MacBook-Pro ~ %
To view this discussion on the web visit https://groups.google.com/d/msgid/got-your-back/CA%2BVVBp_cUCs44oW4Ey-A_%2BgMg%3DZ98NrM%3DHH44krDBoYJsaHy_w%40mail.gmail.com.
Grant Hardy
Dec 15, 2021, 11:12:23 PM12/15/21
to got-yo...@googlegroups.com
Okay, an update: it seems like in the final step, where I grant GYB permissions for my Gmail account, Google “says” it’s going to grant it all the permissions it needs. But when I go to my Google account > Security > Apps with account access, those permissions aren’t being granted for GYB correctly.
It’s as if the entire Google Cloud project isn’t authorized to have these permissions?
Grant Hardy
Jay Lee
Dec 16, 2021, 7:25:53 AM12/16/21
to Got Your Back: Gmail Backup
Can you show the output with --debug ?
Be sure to redact the authorization bearer value in particular....
To view this discussion on the web visit https://groups.google.com/d/msgid/got-your-back/F76C61AD-C94C-4E68-8978-974E6B25E939%40gmail.com.
Grant Hardy
Dec 16, 2021, 10:38:31 AM12/16/21
to got-yo...@googlegroups.com
Here’s the output. I wasn’t sure what all to redact so I redacted more values than were probably necessary.
Last login: Wed Dec 15 18:55:12 on ttys000
grant@Grants-MacBook-Pro ~ % ~/gyb/gyb --email mye...@gmail.com --action estimate --debug
connect: (oauth2.googleapis.com, 443)
send: b'POST /token HTTP/1.1\r\nHost: oauth2.googleapis.com\r\nContent-Length: 253\r\ncontent-type: application/x-www-form-urlencoded\r\nuser-agent: Got Your Back 1.53 | https://git.io/gyb | Jay Lee - jay...@gmail.com | Python 3.10.0 64-bit final | google-api-client 2.29.0 | macOS-10.16-x86_64-i386-64bit x86_64\r\naccept-encoding: gzip, deflate\r\n\r\n'
send: b'grant_type=refresh_token&client_id=xxxxx&client_secret=xxxxx&refresh_token=xxxxx'
reply: 'HTTP/1.1 200 OK\r\n'
header: Cache-Control: no-cache, no-store, max-age=0, must-revalidate
header: Pragma: no-cache
header: Expires: Mon, 01 Jan 1990 00:00:00 GMT
header: Date: Thu, 16 Dec 2021 15:07:42 GMT
header: Content-Type: application/json; charset=utf-8
header: Vary: Origin
header: Vary: X-Origin
header: Vary: Referer
header: Content-Encoding: gzip
header: Server: scaffolding on HTTPServer2
header: X-XSS-Protection: 0
header: X-Frame-Options: SAMEORIGIN
header: X-Content-Type-Options: nosniff
header: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
header: Transfer-Encoding: chunked
connect: (www.googleapis.com, 443)
send: b'GET /oauth2/v1/certs HTTP/1.1\r\nHost: www.googleapis.com\r\nuser-agent: Got Your Back 1.53 | https://git.io/gyb | Jay Lee - jay...@gmail.com | Python 3.10.0 64-bit final | google-api-client 2.29.0 | macOS-10.16-x86_64-i386-64bit x86_64\r\naccept-encoding: gzip, deflate\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
header: Date: Thu, 16 Dec 2021 15:07:18 GMT
header: Expires: Thu, 16 Dec 2021 20:50:09 GMT
header: Content-Type: application/json; charset=UTF-8
header: Vary: Origin
header: Vary: X-Origin
header: Vary: Referer
header: Content-Encoding: gzip
header: Server: scaffolding on HTTPServer2
header: Content-Length: 1556
header: X-XSS-Protection: 0
header: X-Frame-Options: SAMEORIGIN
header: X-Content-Type-Options: nosniff
header: Cache-Control: public, max-age=20571, must-revalidate, no-transform
header: Age: 24
header: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
connect: (www.googleapis.com, 443)
send: b'GET /oauth2/v1/certs HTTP/1.1\r\nHost: www.googleapis.com\r\nuser-agent: Got Your Back 1.53 | https://git.io/gyb | Jay Lee - jay...@gmail.com | Python 3.10.0 64-bit final | google-api-client 2.29.0 | macOS-10.16-x86_64-i386-64bit x86_64\r\naccept-encoding: gzip, deflate\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
header: Date: Thu, 16 Dec 2021 15:07:18 GMT
header: Expires: Thu, 16 Dec 2021 20:50:09 GMT
header: Content-Type: application/json; charset=UTF-8
header: Vary: Origin
header: Vary: X-Origin
header: Vary: Referer
header: Content-Encoding: gzip
header: Server: scaffolding on HTTPServer2
header: Content-Length: 1556
header: X-XSS-Protection: 0
header: X-Frame-Options: SAMEORIGIN
header: X-Content-Type-Options: nosniff
header: Cache-Control: public, max-age=20571, must-revalidate, no-transform
header: Age: 24
header: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
connect: (www.googleapis.com, 443)
send: b'GET /discovery/v1/apis/oauth2/v2/rest HTTP/1.1\r\nHost: www.googleapis.com\r\ncontent-length: 0\r\nuser-agent: Got Your Back 1.53 | https://git.io/gyb | Jay Lee - jay...@gmail.com | Python 3.10.0 64-bit final | google-api-client 2.29.0 | macOS-10.16-x86_64-i386-64bit x86_64\r\nauthorization: Bearer xxxxx\r\naccept-encoding: gzip, deflate\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
header: Accept-Ranges: bytes
header: Vary: Accept-Encoding
header: Content-Encoding: gzip
header: Content-Type: application/json; charset=UTF-8
header: Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/federated-signon-mpm-access
header: Cross-Origin-Resource-Policy: cross-origin
header: Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="federated-signon-mpm-access"
header: Report-To: {"group":"federated-signon-mpm-access","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/federated-signon-mpm-access"}]}
header: Content-Length: 1720
header: Date: Thu, 16 Dec 2021 14:54:58 GMT
header: Expires: Thu, 16 Dec 2021 15:44:58 GMT
header: Last-Modified: Fri, 03 Apr 2020 02:15:00 GMT
header: X-Content-Type-Options: nosniff
header: Server: sffe
header: X-XSS-Protection: 0
header: Age: 765
header: Cache-Control: public, max-age=3000
header: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
send: b'GET /oauth2/v2/userinfo?fields=email&prettyPrint=true&alt=json HTTP/1.1\r\nHost: www.googleapis.com\r\naccept: application/json\r\naccept-encoding: gzip, deflate\r\nuser-agent: Got Your Back 1.53 | https://git.io/gyb | Jay Lee - jay...@gmail.com | Python 3.10.0 64-bit final | google-api-client 2.29.0 | macOS-10.16-x86_64-i386-64bit x86_64 (gzip)\r\nx-goog-api-client: gdcl/2.29.0 gl-python/3.10.0\r\ncontent-length: 0\r\nauthorization: Bearer xxxxx\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
header: Expires: Mon, 01 Jan 1990 00:00:00 GMT
header: Cache-Control: no-cache, no-store, max-age=0, must-revalidate
header: Date: Thu, 16 Dec 2021 15:07:43 GMT
header: Pragma: no-cache
header: Content-Type: application/json; charset=UTF-8
header: Vary: Origin
header: Vary: X-Origin
header: Vary: Referer
header: Content-Encoding: gzip
header: Server: ESF
header: X-XSS-Protection: 0
header: X-Frame-Options: SAMEORIGIN
header: X-Content-Type-Options: nosniff
header: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
header: Transfer-Encoding: chunked
connect: (www.googleapis.com, 443)
send: b'GET /discovery/v1/apis/gmail/v1/rest HTTP/1.1\r\nHost: www.googleapis.com\r\ncontent-length: 0\r\nuser-agent: Got Your Back 1.53 | https://git.io/gyb | Jay Lee - jay...@gmail.com | Python 3.10.0 64-bit final | google-api-client 2.29.0 | macOS-10.16-x86_64-i386-64bit x86_64\r\nauthorization: Bearer xxxxx\r\naccept-encoding: gzip, deflate\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
header: Content-Type: application/json; charset=UTF-8
header: Vary: Origin
header: Vary: X-Origin
header: Vary: Referer
header: Content-Encoding: gzip
header: Date: Thu, 16 Dec 2021 15:07:43 GMT
header: Server: ESF
header: Cache-Control: private
header: X-XSS-Protection: 0
header: X-Frame-Options: SAMEORIGIN
header: X-Content-Type-Options: nosniff
header: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
header: Transfer-Encoding: chunked
Using backup folder GYB-GMail-Ba...@gmail.com
connect: (gmail.googleapis.com, 443)
send: b'GET /gmail/v1/users/me/messages?includeSpamTrash=false&q=-is%3Achat&maxResults=500&fields=nextPageToken%2Cmessages%2Fid&prettyPrint=true&alt=json HTTP/1.1\r\nHost: gmail.googleapis.com\r\naccept: application/json\r\naccept-encoding: gzip, deflate\r\nuser-agent: Got Your Back 1.53 | https://git.io/gyb | Jay Lee - jay...@gmail.com | Python 3.10.0 64-bit final | google-api-client 2.29.0 | macOS-10.16-x86_64-i386-64bit x86_64 (gzip)\r\nx-goog-api-client: gdcl/2.29.0 gl-python/3.10.0\r\ncontent-length: 0\r\nauthorization: Bearer xxxxx\r\n\r\n'
reply: 'HTTP/1.1 403 Forbidden\r\n'
header: WWW-Authenticate: Bearer realm="https://accounts.google.com/", error="insufficient_scope", scope="https://mail.google.com/ https://mail.google.com/mail/feed/atom https://mail.google.com https://mail.google.com/mail/feed/atom/ https://mail.google.com/mail https://mail.google.com/mail/ http://mail.google.com/ http://mail.google.com https://www.googleapis.com/auth/gmail.modify https://www.googleapis.com/auth/gmail.readonly https://www.googleapis.com/auth/gmail.metadata"
header: Vary: Origin
header: Vary: X-Origin
header: Vary: Referer
header: Content-Type: application/json; charset=UTF-8
header: Content-Encoding: gzip
header: Date: Thu, 16 Dec 2021 15:07:43 GMT
header: Server: ESF
header: Cache-Control: private
header: X-XSS-Protection: 0
header: X-Frame-Options: SAMEORIGIN
header: X-Content-Type-Options: nosniff
header: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
header: Transfer-Encoding: chunked
403: Insufficient Permission - insufficientPermissions
grant@Grants-MacBook-Pro ~ %
To view this discussion on the web visit https://groups.google.com/d/msgid/got-your-back/CA%2BVVBp97oS%3DSwUGnb489Buh4%3D%3DOQTC3pMdrqx2Z6%3DQ7eHH-Tgw%40mail.gmail.com.
Jay Lee
Dec 16, 2021, 1:19:50 PM12/16/21
to Got Your Back: Gmail Backup
The error indicates you didn't actually authorize the Gmail API scopes for some reason. Can you delete the file in the GYB folder named <your-email>.cfg and then run it again? Make sure you leave the scope selections within GYB as is and then make sure to check all selections within the website you are sent to authorize GYB.
Jay Lee
To view this discussion on the web visit https://groups.google.com/d/msgid/got-your-back/83EC6865-DF34-438B-84A9-215C2653ACC5%40gmail.com.
Reply all
Reply to author
Forward
0 new messages