Unable to be Authenticated for the Google ADS API using a service account
457 views
Skip to first unread message
AMD Google Registrations
Aug 18, 2022, 7:53:39 AM8/18/22
to Google Ads API and AdWords API Forum
Hi all,
I am having issues authenticating to the Google AD API with the use of a service account. I get the NO_ADS_USER error but i think my setup (At least the one provided in the Google documentation) is ok. So :
- Endpoint of interest https://googleads.googleapis.com/v11/customers:listAccessibleCustomers
- Our developer token is the one linked with the specific AD Manager account (123-456-7890 Account Name Here) and has been upgraded to Basic Access after asuccessful review.
- Workspace account exa...@ourdomain.com was invited as admin to the above Ad Manager
- Firebase project was created under exa...@ourdomain.com and service account was added to it.
- Service account granted domain wide delegation.
- .json credential downloaded and used in GoogleCredentials class instance along with https://www.googleapis.com/auth/adwords scope and createDelegated argument set to service account email (firebase-admin...@project-name-here.iam.gserviceaccount.com) referenced in steps 4 and 5.
As an added step i also linked the Firebase project of step 4 to the AD Manager account through the Integrations tab in project settings.
What am i doing wrong ?
Kind regards
Google Ads API Forum Advisor
Aug 18, 2022, 11:01:56 AM8/18/22
to adwor...@googlegroups.com
Hi there,
Thank you for reaching out to Google Ads API with your service account issue. The "createDelegated" refers to the 'sub' field that is mandatory when accessing the Ads API. Since you can only access the Ads API by logging in to a specific account just like when accessing accounts in the Ads UI, the JWT claim set needs the added 'sub' field filled out with the impersonated user's Workspace account that is also a user in an Ads account, and not the service account itself which I am highly certain isn't a workspace account and probably is not a user in an account in the Ads UI. Our REST Interface Using service accounts guide points to Preparing to make an authorized API call that talks about the 'sub' field in the JWT claim set and their example copied shows the service account isn't the delegated account:
The word "createDelegated" isn't a familiar term in Ads API because many of the difficult steps in processing a JWT claim set are done automatically in our Client Libraries. Unless you need a multiple API scope access token I suggest you try one of our client libraries out.
Also, note that the only benefit of using the service account flow is that all Workspace accounts in your domain can be impersonated to access Ads accounts that can be accessed by each user without each user manually granting the right to access in their name. Our other OAuth flows only need one manual grant of permission from a user to access their Ads accounts in their name and this grant should last forever (there are some limitations on a grant of permission listed in Refresh token expiration). Moreover, there are Security concerns associated with using the service account OAuth flow, so we always encourage Ads API users to avoid service accounts unless they have a need for "impersonation" or a multi API scope access token that the other API's work better with service accounts.
Feel free to get back to us. If the above doesn't help, could you send us a 'DEBUG' log level request and response log of raw API communications showing the error combined with your JWT claim set?
The request and response appears similar to the JSON Mappings in our REST documentation with additional headers and information such as request Id. Here are logging instructions for our Java, .NET, PHP, Python, Ruby and Perl Ads API Client Libraries.
If you are using our REST interface then the full multi line curl command line is a request log and adding curl command line option '-i' will also generate a response log.
You may send the requested information via "Reply to author" or via googleadsa...@google.com with a link to this forum post added to the new thread.
Regards,
ref:_00D1U1174p._5004Q2dl8j6:ref
Thank you for reaching out to Google Ads API with your service account issue. The "createDelegated" refers to the 'sub' field that is mandatory when accessing the Ads API. Since you can only access the Ads API by logging in to a specific account just like when accessing accounts in the Ads UI, the JWT claim set needs the added 'sub' field filled out with the impersonated user's Workspace account that is also a user in an Ads account, and not the service account itself which I am highly certain isn't a workspace account and probably is not a user in an account in the Ads UI. Our REST Interface Using service accounts guide points to Preparing to make an authorized API call that talks about the 'sub' field in the JWT claim set and their example copied shows the service account isn't the delegated account:
{
"iss": "761326798069-r5mljlln1...@developer.gserviceaccount.com",
"sub": "some...@example.com",
"scope": "https://www.googleapis.com/auth/prediction",
"aud": "https://oauth2.googleapis.com/token",
"exp": 1328554385,
"iat": 1328550785
}
The word "createDelegated" isn't a familiar term in Ads API because many of the difficult steps in processing a JWT claim set are done automatically in our Client Libraries. Unless you need a multiple API scope access token I suggest you try one of our client libraries out.
Also, note that the only benefit of using the service account flow is that all Workspace accounts in your domain can be impersonated to access Ads accounts that can be accessed by each user without each user manually granting the right to access in their name. Our other OAuth flows only need one manual grant of permission from a user to access their Ads accounts in their name and this grant should last forever (there are some limitations on a grant of permission listed in Refresh token expiration). Moreover, there are Security concerns associated with using the service account OAuth flow, so we always encourage Ads API users to avoid service accounts unless they have a need for "impersonation" or a multi API scope access token that the other API's work better with service accounts.
Feel free to get back to us. If the above doesn't help, could you send us a 'DEBUG' log level request and response log of raw API communications showing the error combined with your JWT claim set?
The request and response appears similar to the JSON Mappings in our REST documentation with additional headers and information such as request Id. Here are logging instructions for our Java, .NET, PHP, Python, Ruby and Perl Ads API Client Libraries.
If you are using our REST interface then the full multi line curl command line is a request log and adding curl command line option '-i' will also generate a response log.
You may send the requested information via "Reply to author" or via googleadsa...@google.com with a link to this forum post added to the new thread.
Regards,
|
||||||
ref:_00D1U1174p._5004Q2dl8j6:ref
AMD Google Registrations
Aug 19, 2022, 4:00:53 AM8/19/22
to Google Ads API and AdWords API Forum
Hi Aryeh,
I changed the
createDelegated from the service account email to the one invited to the AD Manager account and it worked.
Thank you for your time.
Reply all
Reply to author
Forward
0 new messages