Getting started with Test Accounts failing, as can't work out how to link accounts.

[Edward Robertshaw]

In the docs is states:

"Because test and production accounts cannot interact in any way, you cannot use a test account under your existing production manager account. To use test accounts, you'll need a new account hierarchy, with a test manager account as the root." - https://developers.google.com/adwords/api/docs/guides/accounts-overview#test_accounts

It then goes on to say:

"You must use a production (non-test) manager account's developer token to make API calls against a test account. Even if the token is pending approval, you can still use it to make calls against test accounts." - https://developers.google.com/adwords/api/docs/guides/accounts-overview#test_accounts

This appears to be a contradiction. I'm unable to link the accounts so, I'm unable to use the test account at all because you don't get the API credentials for the Test Manager account and you can't link it to the Production account.

The instructions appear to state that you then need to link the Test and Production account. Which result in the error "The manager cannot create more client accounts.".

Can some one point me in the right direction. Clearly I'm missing something.

Thanks in advance.

[Peter Oliquino]

Hi Edward,

Yes, test accounts cannot be linked to the MCC production accounts. However, in order to make calls to the AdWords API using your test accounts, you will still need to use the developer token associated to your MCC production account. You may then use the email address you used to create your test accounts to generate your OAuth2 credentials.

By using the OAuth2 credentials specific to your test account and your developer token, you will then be able to make calls to the AdWords API against your test account. You may also refer to our guide for more information about making calls to the AdWords API. I hope this helps and please let me know if you have any other concerns.

Best regards,

Peter

AdWords API Team

[Edward Robertshaw]

What I want to know is how to fill out the yml config. Mine sanitized looks something like (I am using some from the live account and some from the test account and hitting auth errors using the api):

---
# This is an example configuration file for the AdWords API client library.
# Please fill in the required fields, and copy it over to your home directory.
:authentication:
  # Authentication method, methods currently supported:
  # OAUTH2, OAUTH2_SERVICE_ACCOUNT.
  :method: OAUTH2_SERVICE_ACCOUNT

  # Auth parameters for OAUTH2 method.
  # Set the OAuth2 client id and secret. Register your application here to
  # obtain these values:
  #   https://console.developers.google.com/
  :oauth2_client_id: [PRODUCTION-account]
  :oauth2_client_secret: [PRODUCTION-account-secret]
  # Optional, see: https://developers.google.com/accounts/docs/OAuth2WebServer
  #:oauth2_callback: INSERT_OAUTH2_CALLBACK_URL_HERE
  #:oauth2_state: INSERT_OAUTH2_STATE_HERE
  #:oauth2_access_type: INSERT_OAUTH2_ACCESS_TYPE_HERE
  #:oauth2_approval_prompt: INSERT_OAUTH2_APPROVAL_PROMPT_HERE
  # You can define extra scopes so that you can reuse your refresh token for
  # other APIs.
  #:oauth2_extra_scopes: [INSERT_EXTRA_SCOPES_HERE]

  # Auth parameters for OAUTH2_SERVICE_ACCOUNT method. See:
  #   https://developers.google.com/accounts/docs/OAuth2ServiceAccount
  :oauth2_issuer: [ID-FROM-DEVELOPER-CONSOLE]
  :oauth2_secret: notasecret
  :oauth2_keyfile:  [location of file]
  # To impersonate a user set prn to an email address.
  :oauth2_prn: [PRODUCTIO...@myaddress.com]

  # Other parameters.
  :developer_token: [developer-token-from-PRODUCTION-account]
  :client_customer_id: [TEST-account-client-id]
  :user_agent: INSERT_YOUR_USER_AGENT_HERE
:service:
  # Only production environment is available now, see: http://goo.gl/Plu3o
  :environment: PRODUCTION
:connection:
  # Enable to request all responses to be compressed.
  :enable_gzip: false
  # If your proxy connection requires authentication, make sure to include it in
  # the URL, e.g.: http://user:password@proxy_hostname:8080
  # :proxy: INSERT_PROXY_HERE
:library:
  # Optional: set the log level.
  :log_level: INFO
  # Optional: uncomment to skip header / summary rows in reporting.
  #:skip_report_header: true
  #:skip_report_summary: true
  #:skip_column_header: true
  # Optional: uncomment to disable user agent showing used utilities.
  #:include_utilities_in_user_agent: false

Clearly, I'm missing something after reviewing the guide. Is there an example of how to set this config. I'm only looking for a basic Ruby set up that lets me post to my test account. I suspect if i were posting to a live account there would be no issue but I want to get my stuff working in test first.

[Peter Oliquino]

Hi Edward,

Apologies for the delay and thank you for the additional information. I could see that you are using production account credentials for you oauth2_client_id and oauth2_client_secret while using a test account customer ID as your client_customer_id. In order to make calls using your test account, you will need to fill these fields with test account information. As mentioned in my previous response, you will need to generate separate OAuth2 credentials for your test account while logged in to the email address you associated to your test account.

That being said, you may then use the below example to configure your yml file :

:oauth2_client_id: [TEST-account]
:oauth2_client_secret: [TEST-account-secret]
:client_customer_id: [TEST-account-client-id]

 

Let me know if this works.

[Edward Robertshaw]

I tried this suggestion but did not get any further.
---
:authentication:
  :method: OAUTH2_SERVICE_ACCOUNT

  :oauth2_client_id: [TEST]
  :oauth2_client_secret: [TEST]

  :oauth2_issuer: [PRODUCTION]
  :oauth2_secret: notasecret
  :oauth2_keyfile:  [PRODUCTION-path]
  :oauth2_prn: [PRODUCTION]

  :developer_token: [PRODUCTION]
  :client_customer_id: [TEST]
  :user_agent: INSERT_YOUR_USER_AGENT_HERE
:service:
  :environment: PRODUCTION
:connection:
  :enable_gzip: false
:library:
  :log_level: INFO

RESULTED IN:
[AuthorizationError.USER_PERMISSION_DENIED @ ; trigger:'<null>']

So, I also tried the following but still got an error.

---
:authentication:
  :method: OAUTH2_SERVICE_ACCOUNT

  :oauth2_client_id: [TEST]
  :oauth2_client_secret: [TEST]

  :oauth2_issuer: [TEST]
  :oauth2_secret: notasecret
  :oauth2_keyfile:  [TEST-path]
  :oauth2_prn: [TEST]

  :developer_token: [PRODUCTION]
  :client_customer_id: [TEST]
  :user_agent: INSERT_YOUR_USER_AGENT_HERE
:service:
  :environment: PRODUCTION
:connection:
  :enable_gzip: false
:library:
  :log_level: INFO

RESULTED IN: 
Authorization failed. Server message: { "error" : "unauthorized_client", "error_description" : "Unauthorized client or scope in request." }

It's really unclear to me which values I should be using for each field from the 2 different test/production accounts.

I also don't understand from a security perspective how the accounts should be linked in their respective configs.

Thanks for your patients and help resolving this with me.

Ed

[Peter Oliquino]

Hi Edward,

No worries, we're always here to provide help. Moving forward, there are two possible causes for the USER_PERMISSION_DENIED error that you encountered. One cause could be that there is no link between the MCC account and the client account and also possibly that your OAuth2 credentials does not match the client_customer_id in your adwords_api.yml file. For this case, I would recommend that you review your OAuth2 credentials and see if they were generated using the same login email associated to your Test MCC account. 

You could check by logging in to your AdWords Test MCC account and access the Google API Console Credentials Page and check if the credentials in this page match those specified in your adwords_api.yml file. The same can be said when checking the credentials for your production account.

For the "Unauthorized client or scope in request" error, I would suggest that you regenerate your refresh token. You may find this guide helpful in setting up your configuration for Ruby. I hope this helps.

[Edward Robertshaw]

> "One cause could be that there is no link between the MCC account " 

I think this is it. I've never linked the accounts MMC with the test account. However, thats because it doesn't let me (thats what the docs say too, production and test accounts can't be linked). This just brings me full circle back to my first post. You can't link test and production accounts but you need to have them linked to use the test account with the API.

How do I link the accounts?

[Peter Oliquino]

Hi Edward,

The case of having no link between accounts is applicable for same environment accounts only and there is no way to create a link between test and production accounts. This said, if your production client account is not linked to the production MCC account where your developer token is associated to, then this error will occur. The same applies for test MCC accounts and test client accounts. 

One way to check if the accounts are linked is by using the GetAccountHierarchy example. Please make sure to specify the test or production MCC account id in the client_customer_id field of your adwords_api.yml when you run the example to see which client accounts are linked to it. Additionally, for linking accounts, please carefully follow this guide as to how.