OAuth 2 Service Account error: NOT_ADS_USER
304 views
Skip to first unread message
Martin Levi
Aug 26, 2022, 2:51:37 PM8/26/22
to Google Ads API and AdWords API Forum
Hi,
I am successfully generating OAuth 2 Access Tokens for the Google Ads API but when I try to access the API access is denied. Below is my setup - what am I missing?
Manager Ad Account Id: mgr-acc-idid email: persona...@gmail.com
Developer Token Access: Basic Id: developer_token_id Owner: mgr-acc-idid
Service Account Name: My Domain Service Account Id: service_account_id Email: my-domain-se...@my-domain-ads-interface.iam.gserviceaccount.com
Project Id: my-domain-ads-interface Domain: mydomain.com
Admin User: Martin Levi Email: in...@mydomain.com
Enabled APIs and Services Google Ads API
Domain Wide Delegation Client Id: service_account_id Scope: https://www.googleapis.com/auth/adwords
API Credentials: Oauth 2.0 Client Id: service_account_id
API Credentials: Service Account Client Id: service_account_id
Service Account Key Client Id: service_account_id Key Id: service_acc_key_id
Admin User: Martin Levi Email: in...@mydomain.com
Enabled APIs and Services Google Ads API
Domain Wide Delegation Client Id: service_account_id Scope: https://www.googleapis.com/auth/adwords
API Credentials: Oauth 2.0 Client Id: service_account_id
API Credentials: Service Account Client Id: service_account_id
Service Account Key Client Id: service_account_id Key Id: service_acc_key_id
Access Token Method: REST PHP $keyDataJsonFile: Service Account Key file downloaded from Google
$iss: my-domain-se...@my-domain-ads-interface.iam.gserviceaccount.com
$sub: persona...@gmail.com
$scope: https://www.googleapis.com/auth/adwords
$iss: my-domain-se...@my-domain-ads-interface.iam.gserviceaccount.com
$sub: persona...@gmail.com
$scope: https://www.googleapis.com/auth/adwords
Access Google Ads API Method: REST PHP (CURL log) :path: /v11/customers:listAccessibleCustomers
:authority: googleads.googleapis.co
:authorization: "Bearer " + $access_token
developer-token: developer_token_id
login-customer-id: mgraccidid
:authority: googleads.googleapis.co
:authorization: "Bearer " + $access_token
developer-token: developer_token_id
login-customer-id: mgraccidid
Response log code: 401
message: Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential.
status: UNAUTHENTICATED
errorCode: "authenticationError": "NOT_ADS_USER"
message: Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential.
status: UNAUTHENTICATED
errorCode: "authenticationError": "NOT_ADS_USER"
Thanks in advance,
Martin
Message has been deleted
Google Ads API Forum Advisor
Aug 26, 2022, 3:42:32 PM8/26/22
to nitra...@gmail.com, adwor...@googlegroups.com
Hi Martin,
A service account can only be used with the Google Accounts in the mydomain.com space, you cannot impersonate a @gmail.com Google account that is not in the @mydomain.com domain with a service account. The 'sub' field can only be filled with a Google Account that is in the Google Workspace domain. here is the note under Setting up service account access that explains this.
If the above doesn't help, could you send us your JWT claim set and a 'DEBUG' log level request and response log of raw API communications that gets you this error?
The request and response appears similar to the JSON Mappings in our REST documentation with additional headers and information such as request Id.
If you are using our REST interface then the full multi line curl command line is a request log and adding curl command line option '-i' will also generate a response log.
You may send the requested information via "Reply to author" or via googleadsa...@google.com with a link to this forum post added to the new thread.
Regards,
ref:_00D1U1174p._5004Q2do6N4:ref
A service account can only be used with the Google Accounts in the mydomain.com space, you cannot impersonate a @gmail.com Google account that is not in the @mydomain.com domain with a service account. The 'sub' field can only be filled with a Google Account that is in the Google Workspace domain. here is the note under Setting up service account access that explains this.
If the above doesn't help, could you send us your JWT claim set and a 'DEBUG' log level request and response log of raw API communications that gets you this error?
The request and response appears similar to the JSON Mappings in our REST documentation with additional headers and information such as request Id.
If you are using our REST interface then the full multi line curl command line is a request log and adding curl command line option '-i' will also generate a response log.
You may send the requested information via "Reply to author" or via googleadsa...@google.com with a link to this forum post added to the new thread.
Regards,
|
||||||
ref:_00D1U1174p._5004Q2do6N4:ref
Martin Levi
Aug 26, 2022, 4:07:39 PM8/26/22
to Google Ads API and AdWords API Forum
Hi Aryeh,
Thanks for your response. I had already seen the documentation Setting up service account access that you linked to but I can't see anywhere that it discusses the domain of the account that is impersonated.
In any case, it appears that this is the disconnection in my setup. So if I authorize in...@mydomain.com to the Manager Ad Account, and use this email in the $sub field when I generate the Access Token will that solve my issue?
Regards,
Martin
Google Ads API Forum Advisor
Aug 26, 2022, 4:18:48 PM8/26/22
to nitra...@gmail.com, adwor...@googlegroups.com
Hi Martin,
The specific language I am referring to is "Your application and its users will have the ability to impersonate any user in the domain". This doesn't promise impersonation of anyone outside of the domain, even if they are users in Ads accounts. In light of the above I cannot promise you that it will work as there may be other issues, but for sure give it a try!
The specific language I am referring to is "Your application and its users will have the ability to impersonate any user in the domain". This doesn't promise impersonation of anyone outside of the domain, even if they are users in Ads accounts. In light of the above I cannot promise you that it will work as there may be other issues, but for sure give it a try!
Martin Levi
Aug 26, 2022, 4:58:41 PM8/26/22
to Google Ads API and AdWords API Forum
Hi Aryeh,
OK, I missed the part about "any user in the domain".
But I made the change I suggested above, and it worked!
Thanks for your help, and have a great weekend,
Martin
Reply all
Reply to author
Forward
0 new messages