403 forbidden

13,815 views
Skip to first unread message

doucol

unread,
Mar 31, 2012, 5:01:56 AM3/31/12
to google-analytics-api - GA Data Export API
Hi folks,

I am trying to get some ruby code written which will retrieve
analytics profile data for our own sites. I have successfully
received an access token but when I make the GET call to the analytics
API, I keep getting a 403 forbidden back.

My GET request looks like so:
"https://www.googleapis.com/analytics/v3/data/ga?ids=ga:53884572&start-
date=2012-01-01&end-date=2012-03-29&metrics=ga:visits"

With an http auth header like this: "Authorization: Bearer <access
token>"

I believe I am an admin for the analytics profile and I think the
profile ID is correct. I have done a ton of searching already and
could use a little help.

thanks much
-doug

Nick

unread,
Mar 31, 2012, 2:39:11 PM3/31/12
to google-analytics...@googlegroups.com
403 means the authorized user doesn't have access to the account.

If you log into the GA web interface, view a report, then look at the URL, the last part of the query that has the value p is the profile ID.
You can also get this from admin interface.

The use you authorizing access for must have to this profile ID otherwise we return a 403.
-Nick

doucol

unread,
Mar 31, 2012, 3:13:59 PM3/31/12
to google-analytics...@googlegroups.com
Hi Nick,

Thanks for your note.  I am looking at GA right now - at the "Visitors Overview" report.  Here is the URL:

The value which you are referencing is:  54774085
And this is also the value I see in the admin area for "Profile ID"  (54774085)

I am an admin for the GA profile - at least as far as I can tell.

This is indeed the profile ID which I am using in my API requests -- and I am still getting a 403 forbidden.

Is there anything else that I might be missing?

many thanks
-doug

doucol

unread,
Mar 31, 2012, 4:04:00 PM3/31/12
to google-analytics...@googlegroups.com
Sorry for the slight bit of confusion.  But the first message I sent with the API GET request was one in which I was testing with different values for the profile id.

I just ran the whole test again:

* Successful OAuth2 token request - I get back an http status 200 with <access_token>
  -- with http header:  "Authorization:  Bearer <access_token>"
* Receive a 403 forbidden

I can look at the GA reports from the web interface for this profile and I believe I am an admin for this profile.

Also, I have run through the google php api client and I get the same response back using that.

Should I be attempting to use the "Simple API Access" key approach?  My understanding on that is that I would need to perform a "clientlogin" for that approach to work, but then I have seen some notes in these forums which state that the clientlogin / simple api access approach does not work for V3.

Can anyone provide a little guidance?

thanks
-doug

Nick

unread,
Mar 31, 2012, 6:37:16 PM3/31/12
to google-analytics...@googlegroups.com
Are you able to get data successfully using this tool: https://code.google.com/oauthplayground/

You should at least be able to get Management API account data via this URI end point: https://www.googleapis.com/analytics/v3/management/accounts


-Nick

doucol

unread,
Mar 31, 2012, 7:15:05 PM3/31/12
to google-analytics...@googlegroups.com
Hi Nick,

Ok, I used that tool and it worked.  However, here are a few observations which lead me to believe that this is different than what I'm trying to do.

1)  I was redirected to a consent page where I provided consent
2)  The Authorization header does not contain a "Bearer" token - it contains an "OAuth" token
3)  My private key file was not used in the process

I am trying to get an OAuth2 "Server to Server" setup working as described in detail here:  https://developers.google.com/accounts/docs/OAuth2ServiceAccount

Should I be using the Simple API Access method?

thanks
-doug

Nick

unread,
Mar 31, 2012, 7:41:21 PM3/31/12
to google-analytics...@googlegroups.com
I see.

You're trying to use a Service Acccount to access our API. Here's a list of the following services that support this type of Auth: http://googledevelopers.blogspot.com/2012/03/service-accounts-have-arrived.html

GA isn't in it......

Generally if your server needs to access data on behalf of a user (ie you), you can use OAuth 2 for web applications: https://developers.google.com/accounts/docs/OAuth2WebServer

You would just need to go through the Auth flow once, then store and reuse the refresh token to get new access tokens.

-Nick

doucol

unread,
Apr 1, 2012, 1:23:08 PM4/1/12
to google-analytics...@googlegroups.com
Thank you Nick.  The information you provided in this note helped me get something working.

Nick

unread,
Apr 3, 2012, 3:31:53 PM4/3/12
to google-analytics...@googlegroups.com
Great.

We'll look into adding support for service accounts.

-Nick

Blaine Jester

unread,
Apr 17, 2012, 11:32:30 AM4/17/12
to google-analytics...@googlegroups.com
I have come across this same issue.  I am attempting use the "Service Account" method to connect to GA to retrieve data for external reporting.  

The "Webserver Application" method doesn't seem to be an option since the call to GA won't be initiated through a website.  

Is there anyway this can be done?  Or do we need to resort to older versions of the API?  This is a great inconvenience for developers trying to stay current by implementing the newest versions of your API by following the documentation, only to find out it is not in production yet. 

-Blaine

Mark Rose

unread,
Jun 27, 2012, 1:47:44 PM6/27/12
to google-analytics...@googlegroups.com
I am also getting a 403 Forbidden error. Is this because service accounts are still not supported with Google Analytics? If so, I just wasted a bunch of time.

I'm using the trunk (r447) of the google-api-php-client, and am getting the following error:


The account I'm using has full access to all the data on GA.

-Mark

Nick

unread,
Jun 28, 2012, 11:46:19 AM6/28/12
to google-analytics...@googlegroups.com
Service accounts are supported.

A Service accounts creates a new Google Account. You get a new email for this account in the APIs console. That email (user / robot) must be added to your GA account.

Otherwise that service account user you created does not have access to your GA data and you get a 403.

-Nick

Sergey C.

unread,
Jul 12, 2012, 8:19:58 AM7/12/12
to google-analytics...@googlegroups.com
I still have problem with Service Account for Google Analytics.

Google.Apis.Requests.RequestError
User does not have permission to perform this operation [403]
Errors [
Message[User does not have permission to perform this operation] Location[ - ] Reason[insufficientPermissions] Domain[global]
]

Maybe i don't understood. I tried to add this email to the team in google console. How should I add email from service account in my GA account. 

четверг, 28 июня 2012 г., 19:46:19 UTC+4 пользователь Nick написал:

NgocLung

unread,
Jul 13, 2012, 12:56:16 AM7/13/12
to google-analytics...@googlegroups.com
Hi Sergey C,

I had used Service Account for Google Analytics, and get token and get data from google analytics in ruby. It's work for me.
You can try to setup Google Analytics to work with your newly created Service Account:
        -Open Admin section of Google Analytics
        -Click on Users and create a new user in Analytics with the e-mail address provided by the Google API Service Account
I had done state above. and i resolve error 403.

Nick

unread,
Jul 13, 2012, 1:32:19 AM7/13/12
to google-analytics...@googlegroups.com
The service account acts as a fake Google Account. So you need to add the email in the apis console as an "user" in the Google Analytics account.

-Nick

Sergey C.

unread,
Jul 13, 2012, 7:53:13 AM7/13/12
to google-analytics...@googlegroups.com
It's works Thanks
Message has been deleted

BMI Automatisering

unread,
Aug 29, 2012, 7:12:16 AM8/29/12
to google-analytics...@googlegroups.com
Hello NgocLung,
 
We have a Google Analytics account containing a list of subaccounts. Where do I add the service account to? I've tried to add the service account to 1 of my subaccounts, but I still het the insufficientPermissions error.

Martín Tonelli

unread,
Jan 11, 2013, 2:31:37 PM1/11/13
to google-analytics...@googlegroups.com
Yesss.. it's works adding email address of de Google Service in Google Analytics Account users.
Thanks Nick

On Friday, July 13, 2012 8:53:13 AM UTC-3, Sergey C. wrote:
It's works Thanks

martbrow

unread,
Jan 22, 2013, 4:59:24 PM1/22/13
to google-analytics...@googlegroups.com
Although service accounts linked to an analytics account allow you to retrieve data - you cannot retrieve or pass advanced segments to limit the data returned.

Google.Apis.Requests.RequestError
User does not have sufficient permissions for this advanced segment.
[403]

If the nnn...@developer.gserviceaccount.com account is an administrator against the profile - I'd expect to be able to get the advanced segment data.  As you cannot login to google analytics to setup advanced segments that belong to the user you cannot work around it in that fashion.

Dynamic could be an option - but then you'd need to try and keep 2 definitions in sync for an expression.

Kamran Shahid

unread,
May 8, 2013, 2:08:51 AM5/8/13
to google-analytics...@googlegroups.com
Thanks a lot guys,
It ended up with adding user with administrator rights for this email

Raaj Nishanth S

unread,
Jul 3, 2013, 5:32:47 AM7/3/13
to google-analytics...@googlegroups.com
I tried adding the email to my GA account and i also gave it admin access, but i still get the following error
Error calling GET https://www.googleapis.com/analytics/v3/management/accounts: (403) Insufficient Permission

Is there any other solution to this?

Kam S

unread,
Aug 20, 2013, 7:33:28 AM8/20/13
to google-analytics...@googlegroups.com
I am having the same issue. Please share it when someone find the solution.
Message has been deleted

Evolvan

unread,
Sep 24, 2013, 6:39:33 AM9/24/13
to google-analytics...@googlegroups.com

Thank you so much....BMI Automatisering

Hannes Stessl

unread,
Dec 24, 2013, 4:21:23 AM12/24/13
to google-analytics...@googlegroups.com
Check if you are using the Client-ID + Secret + URI + Dev Key = 403.. Kick the Dev Key or vice versa.. The HelloAnalyticsApi script tempts to fill out everything :)


Hannes
Reply all
Reply to author
Forward
0 new messages