User doesn't have permission to access customer - what am I missing?

113 views
Skip to first unread message

Rob Sharp

unread,
Feb 22, 2021, 5:37:04 PM2/22/21
to AdWords API and Google Ads API Forum
Hi,

I'm downloading customer data using a customer OAuth token.

I'm seeing the following error:

Google::Ads::GoogleAds::Errors::GoogleAdsError(Google::Ads::GoogleAds::Errors::GoogleAdsError): User doesn't have permission to access customer. Note: If you're accessing a client customer, the manager's customer id must be set in the 'login-customer-id' header. See https://developers.google.com/google-ads/api/docs/concepts/call-structure#cid

My token structure looks like this (Ruby))

client = Google::Ads::GoogleAds::GoogleAdsClient.new do |config|
  config.client_id = ENV.fetch('GOOGLE_CONSUMER_KEY')
  config.client_secret = ENV.fetch('GOOGLE_CONSUMER_SECRET')
  config.developer_token = ENV.fetch('GOOGLE_DEVELOPER_TOKEN')
  config.refresh_token = token['refresh_token'] # customers oauth refresh token
  config.logger = Logger.new(STDOUT)
  config.login_customer_id = token['manager_id'] # managers (mcc) ID
end

customer_id = token['uid'] # customers oauth uid

ga_service = client.service.google_ads

responses = ga_service.search_stream(
  :customer_id => customer_id,
  :query => <<~QUERY
 
As far as I can tell, the manager_id has the customer_id as a child. The oauth token is valid, and the login_customer_id header is being supplied.

What have I missed to make this run correctly?

Thanks,

 -- Rob

Google Ads API Forum Advisor Prod

unread,
Feb 22, 2021, 9:28:51 PM2/22/21
to rob....@digivizer.com, adwor...@googlegroups.com

Hi Rob,

Thanks for raising this to us.

Given the error string (User doesn't have permission to access customer) provided, I can see that you've encountered the USER_PERMISSION_DENIED error which signifies that the authorized customer does not have access to the operating customer. That said, could you confirm if the OAuth2 credentials being used was generated from a user’s email address that has an access to the login-customer-id found in your API request header? Also, could you confirm if the login-customer-id is correct (as the manager account ID without hyphens)? If indeed the user has right access credentials to the login-customer-id, could you provide us the details below (via Reply privately to author option) so our team can further investigate?

  • Complete request and response (with request-id) logs
  • Email Address used to authenticate the API call
  • Customer ID of the authenticated user

As an aside, since you're using the Ruby version of the client library, could you try following the configuration guide as mentioned here?

Regards,

Google Logo
Mark Kevin Albios
Google Ads API Team
 


ref:_00D1U1174p._5004Q2CThqf:ref

Rob Sharp

unread,
Feb 23, 2021, 9:34:03 PM2/23/21
to AdWords API and Google Ads API Forum
Hey Mark,

Thanks for your response. Your description of the variables helped me a lot. I had the mental model backwards.

I replaced login-customer-id with the oauth token UID, and the download runs as expected.

Thanks for your help!
Reply all
Reply to author
Forward
0 new messages