auth via service account leads to api response "forbidden"

Showing 1-8 of 8 messages
auth via service account leads to api response "forbidden" Fex 3/28/12 5:32 AM
Hello,

i'm using the google-api-php-client to authenticate a simple get
request to the analytics api. But i only get a 403 - forbidden
response.

Thats the way i did that:
1. i logged in at the google api console with an account wich has
access to the analytics account
2. i created a new service account within a project wich has access to
the analytics api
3. with the latest google-api-php-client i authenticated the request
to the analytics api by using this service account. The authentication
seems to work fine, as the request header contains "authorization:
Bearer {access_token}". But the response is always: {"error":{"errors":
[{"message":"Forbidden"}],"code":403,"message":"Forbidden"}}

When i authenticate the same api request via "Client ID for web
applications" (OAuth 2.0 Playground) i get my wanted response.
What i'am doing wrong?

Here is a short code snippet of what iam doing:

$client = new apiClient();
$client->setAssertionCredentials(new apiAssertionCredentials(
        '{my service account email}',
        array('https://www.googleapis.com/auth/analytics.readonly'),
        '{my service account certificate}'
));
$request = $client->getIo()->authenticatedRequest(new
apiHttpRequest('https://www.googleapis.com/analytics/v3/data/ga?{my
query}'));

any ideas?
Re: auth via service account leads to api response "forbidden" Andrew Magee 3/28/12 4:29 PM
I'm having the same issue with the Python API.  Connecting seems fine, but querying always returns 403.  I'm not even sure if Analytics even supports service accounts yet; all I've found on the matter is here http://googledevelopers.blogspot.com.au/2012/03/service-accounts-have-arrived.html, there is a comment from a week ago saying "I am especially waiting for the Google Analytics API to have services accounts!".  
Re: auth via service account leads to api response "forbidden" Eric Haskins 3/28/12 4:38 PM
I have been told in the AdSense management API group anything that is tied to a user account AdSense ,Calender , user info is not supported via service accounts. We are a Google partner and need to query our stats and earnings but are forced to use the installed app version.

I mentioned in the AdSense group its easier to process a credit card txn with authorize.net than it is to access statistics with Google :-)

Eric Haskins

Re: auth via service account leads to api response "forbidden" Justin Smith 3/28/12 10:55 PM
Unfortunately Service Accounts aren't supported by all Google APIs. We're working to enable it more broadly.

The APIs listed on the blogpost are the only ones that work with Service Accounts today.
Re: auth via service account leads to api response "forbidden" Andrew Magee 3/28/12 11:04 PM
Fair enough.  In that case the blog post is quite confusing, as it does say:
  • Google APIs Client Libraries for Python, Java, and PHP
I'm using what I imagine would be called the Google APIs Client Library for Python, so from reading this there is no indication that Analytics isn't supported.
Re: auth via service account leads to api response "forbidden" Justin Smith 3/28/12 11:13 PM
Fair point.  My fault for not making that more clear.

The libraries (Python, Java, PHP) can obtain an access token using only a service account. They can do this for just about any scope. However, not all APIs can consume these tokens (just yet). That's what is happening for the Analytics API.
Re: auth via service account leads to api response "forbidden" Fex 3/29/12 1:29 AM
Thank you for the clarification. I was misleaded by the api documentation, wich clearly states support for bearer auth header:
Am Donnerstag, 29. März 2012 07:55:10 UTC+2 schrieb Justin Smith:
Re: auth via service account leads to api response "forbidden" Ryan Burke 4/17/12 12:51 PM
Justin, does Google have any timeline for expanding API consumption of service account tokens? It was pretty frustrating to troubleshoot a service account implementation to Google Analytics only to find this post.


On Thursday, March 29, 2012 12:13:01 AM UTC-6, Justin Smith wrote:
Fair point.  My fault for not making that more clear.

The libraries (Python, Java, PHP) can obtain an access token using only a service account. They can do this for just about any scope. However, not all APIs can consume these tokens (just yet). That's what is happening for the Analytics API.

On Wed, Mar 28, 2012 at 11:04 PM, Andrew Magee wrote:
Fair enough.  In that case the blog post is quite confusing, as it does say:
  • Google APIs Client Libraries for Python, Java, and PHP
I'm using what I imagine would be called the Google APIs Client Library for Python, so from reading this there is no indication that Analytics isn't supported.



On Thursday, March 29, 2012 4:55:10 PM UTC+11, Justin Smith wrote:
Unfortunately Service Accounts aren't supported by all Google APIs. We're working to enable it more broadly.

The APIs listed on the blogpost are the only ones that work with Service Accounts today.

On Wednesday, March 28, 2012 4:38:33 PM UTC-7, Eric Haskins wrote:
I have been told in the AdSense management API group anything that is tied to a user account AdSense ,Calender , user info is not supported via service accounts. We are a Google partner and need to query our stats and earnings but are forced to use the installed app version.

I mentioned in the AdSense group its easier to process a credit card txn with authorize.net than it is to access statistics with Google :-)

Eric Haskins