Service account

331 views
Skip to first unread message

Kate Orlova

unread,
Oct 3, 2022, 4:54:11 AM10/3/22
to Google Ads API and AdWords API Forum
Hi there!
I'm trying to use service account to make requests to google ads api.
It is failed on refresh access token with error 401 Unauthorized.
If I use service account email as service account user email I can get auth token, but then I have a NOT_ADS_USER error. But if I use an email of user that has an access to google ads account and also has permissions in service account - I get 401 Unauthorized and can't get auth token.
Which email I should use for service account user?

Google Ads API Forum Advisor

unread,
Oct 3, 2022, 2:20:51 PM10/3/22
to adwor...@googlegroups.com

Hi Kate,

Thanks for reaching out to the Google Ads API Forum.

If you have used an impersonated email as @*****.iam.gserviceaccount.com, then note that service account authentication will not work.  Kindly note that impersonated_email (formerly delegate_account) is an account email used as a delegate. In this case, you have to provide the email of a user that has access to the Google Ads account and grant impersonation abilities in the G Suite domain for this scope: https://www.googleapis.com/auth/adwords

This is used for authenticating using a service account. For more information, you may see OAuth2 Service Account documentation.

In addition, service account authentication requires a Google Workspace domain and a service account that was granted domain-wide delegation access by a super administrator for the domain. You may retry your request with workspace domain and valid impersonated_email, and let us know the results.

If it still doesn't work, then could you please confirm if you already followed this service account document and completed all mentioned requirements for the service account authentication? If not, then you refer to it.

If you’re encountering API error after following the above guide, you may provide the complete request and response logs with request ID generated via reply privately to author option, as seen in the respective links, so that our team can check better.

For you to enable complete logs on your end for the client library, logging can be enabled by navigating to the Client libraries > Your client library (ex Python) > Logging documentation, which you can access from this link

Regards,

Google Logo
Yasar
Google Ads API Team
 


ref:_00D1U1174p._5004Q2ewSHl:ref

Kate Orlova

unread,
Oct 4, 2022, 4:02:33 AM10/4/22
to Google Ads API and AdWords API Forum
Let me explain all my steps.
1. I've created service account in my project in https://console.cloud.google.com/.
2. I've created key and get creds from json file.
3. My admin configure domain wide delegation for this service account, scope https://www.googleapis.com/auth/adwords
4. I have a user email which has access to google ads account, I granted him permissions in the service account as Service Account User.
5. I've created ServiceAccountCredentials in my code and use there creds from step 2 and user from step 4 as serviceAccountUser.
6. When it tries to refresh access token I get 
com.google.api.client.http.HttpResponseException: 401 Unauthorized
POST https://oauth2.googleapis.com/token

What I'm missing?
Reply all
Reply to author
Forward
0 new messages