Issue Authenticating CM360 API Requests via Service Account
35 views
Skip to first unread message
Bryan Tsiliacos (xWF)
Apr 10, 2025, 4:07:10 PMApr 10
to Google's Campaign Manager 360 API Forum
Hi CM360 API Support Team,
We’re running into an issue with authenticating our requests to the Campaign Manager 360 API using a service account, and I was hoping you could help us troubleshoot.
We’ve followed the instructions here: https://developers.google.com/doubleclick-advertisers/service_accounts, since our goal is to connect to multiple CM360 accounts (owned by different clients) using one service account. Specifically, we’re following this recommended approach:
"If your users reside on different domains, implement using a service account as a Campaign Manager 360 user... by creating a new user profile on each account and associating them all with a single service account."
Here’s what we’ve done:
1. Created a service account in our GCP project
2. Shared the service account email with our customer, who created a CM360 user profile using that email
3. Implemented the server-to-server OAuth 2.0 flow using the service account
The user profile ID linked to the service account is 10179913, and it has all necessary permissions to upload offline conversions.
However, when we try to authenticate, we’re seeing the following error: request = service.accountUserProfiles().list(profileId=10179913) request.execute()
Error: HttpError 401: Failed to authenticate. Google account cannot access the user profile/account requested.
Could you confirm whether we should be using the profile ID of the account that initially linked the service account (i.e. the one that created the CM360 user profile), rather than the one specifically created for the service account email?
Let us know what’s expected or if we might be missing anything.
Thanks so much!
-Bryan
We’re running into an issue with authenticating our requests to the Campaign Manager 360 API using a service account, and I was hoping you could help us troubleshoot.
We’ve followed the instructions here: https://developers.google.com/doubleclick-advertisers/service_accounts, since our goal is to connect to multiple CM360 accounts (owned by different clients) using one service account. Specifically, we’re following this recommended approach:
"If your users reside on different domains, implement using a service account as a Campaign Manager 360 user... by creating a new user profile on each account and associating them all with a single service account."
Here’s what we’ve done:
1. Created a service account in our GCP project
2. Shared the service account email with our customer, who created a CM360 user profile using that email
3. Implemented the server-to-server OAuth 2.0 flow using the service account
The user profile ID linked to the service account is 10179913, and it has all necessary permissions to upload offline conversions.
However, when we try to authenticate, we’re seeing the following error: request = service.accountUserProfiles().list(profileId=10179913) request.execute()
Error: HttpError 401: Failed to authenticate. Google account cannot access the user profile/account requested.
Could you confirm whether we should be using the profile ID of the account that initially linked the service account (i.e. the one that created the CM360 user profile), rather than the one specifically created for the service account email?
Let us know what’s expected or if we might be missing anything.
Thanks so much!
-Bryan
DCM API (DoubleClick Campaign Mgr)
Apr 10, 2025, 6:42:52 PMApr 10
to google-doubleclick-...@googlegroups.com
Hi Bryan,
Thank you for reaching out to the DCM API support team.
Can you confirm that you are using the same user email while creating credentials in the GCP and authenticating with the DCM Account? The error which you are encountering is usually triggered when the authenticated service account is trying to access a CM360 user profile or advertiser account it doesn't have access to. You should always use the user profile ID that was explicitly created for the service account email within each client's CM360 account.
If your users are on different domains, the recommended approach is to use a service account as a Campaign Manager 360 user. This allows you to connect to multiple accounts owned by various agencies by creating a separate user profile for the service account within each account. Then, I would recommend you to refer to this Configuring and using a service account guide for more details while using service accounts. Additionally, I would request you to share the following details to investigate further:
Thanks,
Feedback
How was our support today?
Thank you for reaching out to the DCM API support team.
Can you confirm that you are using the same user email while creating credentials in the GCP and authenticating with the DCM Account? The error which you are encountering is usually triggered when the authenticated service account is trying to access a CM360 user profile or advertiser account it doesn't have access to. You should always use the user profile ID that was explicitly created for the service account email within each client's CM360 account.
If your users are on different domains, the recommended approach is to use a service account as a Campaign Manager 360 user. This allows you to connect to multiple accounts owned by various agencies by creating a separate user profile for the service account within each account. Then, I would recommend you to refer to this Configuring and using a service account guide for more details while using service accounts. Additionally, I would request you to share the following details to investigate further:
- DCM Account ID: You can locate this under your profile icon in the Campaign Manager 360 UI or in the Account section, which is found under the Admin drop-down.
- The service account email ID which is linked to your DCM profile ID (10179913).
- URL endpoint request along with the path parameters.
- The complete JSON request and response logs.
Thanks,
 |
DCM API Team |
Feedback
How was our support today?
[2025-04-10 22:42:40Z GMT] This message is in relation to case "ref:!00D1U01174p.!500Ht01pSYDy:ref" (ADR-00299485)
DCM API (DoubleClick Campaign Mgr)
Apr 10, 2025, 6:43:53 PMApr 10
to google-doubleclick-...@googlegroups.com
Hi Bryan,
Thank you for reaching out to the DCM API support team.
Thank you for reaching out to the DCM API support team.
Please ignore my previous email.
Can you confirm that you are using the same user email while creating credentials in the GCP and authenticating with the DCM Account? The error which you are encountering is usually triggered when the authenticated service account is trying to access a CM360 user profile or advertiser account it doesn't have access to. You should always use the user profile ID that was explicitly created for the service account email within each client's CM360 account.
If your users are on different domains, the recommended approach is to use a service account as a Campaign Manager 360 user. This allows you to connect to multiple accounts owned by various agencies by creating a separate user profile for the service account within each account. Then, I would recommend you to refer to this Configuring and using a service account guide for more details while using service accounts. Additionally, I would request you to share the following details to investigate further:
- DCM Account ID: You can locate this under your profile icon in the Campaign Manager 360 UI or in the Account section, which is found under the Admin drop-down.
- The service account email ID which is linked to your DCM profile ID (10179913).
- URL endpoint request along with the path parameters.
- The complete JSON request and response logs.
You can send the details via Reply privately to the author option, or direct private reply to this email.
Thanks,
|
DCM API Team |
Feedback
How was our support today?
[2025-04-10 22:43:46Z GMT] This message is in relation to case "ref:!00D1U01174p.!500Ht01pSYDy:ref" (ADR-00299485)
Bryan Tsiliacos
May 13, 2025, 2:09:08 PMMay 13
to DCM API (DoubleClick Campaign Mgr), google-doubleclick-...@googlegroups.com
Hi there, and apologies for the delay! Here's the information you requested:
- DCM Account ID: 1079725 (For context: This is the client's CM360 ID. We're building an integration that will allow them to push offline conversion events from their data warehouse to their CM360 account via our platform.)
- Service Account Email ID (linked to DCM Profile ID 10179913): 7163733117...@developer.gserviceaccount.com
- Endpoint and Request Details: We're using the official Google SDK, so we don’t have raw JSON request/response logs. However, below are the relevant SDK calls and the first-level serialization of the requests generated by the SDK:
def get_user_profiles(
path_to_service_account_json_file='./local/creds/compute_credentials.json',
impersonation_email=None
):
# Authenticate using the supplied service account credentials
http = authenticate_using_service_account(
path_to_service_account_json_file,
impersonation_email
)
# Construct a service object via the discovery service.
service = discovery.build('dfareporting', 'v4', http=http)
try:
# Construct the request.
# request = service.userProfiles().list()
request = service.accountUserProfiles().list(profileId=8641833)
# request = service.accounts().list(profileId=8641833)
# Execute request and print response.
response = request.execute() # this function throws the 401 error
resp = []
for profile in response['items']:
print('Found user profile with ID %s and user name "%s".' %
(profile['profileId'], profile['userName']))
resp.append({
'profileId': profile['profileId'],
'userName': profile['userName']
})
return resp
except client.AccessTokenRefreshError:
print('The credentials have been revoked or expired, please re-run the '
'application to re-authorize')
// the request variable gets serialized to dict as follows:
{
'uri': 'https://dfareporting.googleapis.com/dfareporting/v4/userprofiles/8641833/accountUserProfiles?alt=json',
'method': 'GET',
'body': None,
'headers': {
'accept': 'application/json',
'accept-encoding': 'gzip, deflate',
'user-agent': '(gzip)',
'x-goog-api-client': 'gdcl/2.83.0 gl-python/3.8.18'},
'methodId': 'dfareporting.accountUserProfiles.list',
'http': '< httplib2.Http object at 0x11010ae50 >',
'postproc': '< bound method BaseModel.response of < googleapiclient.model.JsonModel object at 0x11011fb50 >>',
'resumable': None,
'response_callbacks': [],
'_in_error_state': False,
'body_size': 0, 'resumable_uri': None,
'resumable_progress': 0,
'_rand': "< built - in method random of Random object at 0x155037e10 >"
}
// response
{
'resp': {
'vary': 'Origin, X-Origin, Referer',
'content-type': 'application/json; charset=UTF-8',
'date': 'Mon, 05 May 2025 23:51:54 GMT',
'server': 'ESF',
'x-xss-protection': '0',
'x-frame-options': 'SAMEORIGIN',
'x-content-type-options': 'nosniff',
'alt-svc': 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000',
'transfer-encoding': 'chunked',
'status': '401',
'content-length': '439',
'-content-encoding': 'gzip'
},
'content': b'{\n "error": {\n "code": 401,\n "message": "1075 : Failed to authenticate. Google account can not access the user profile/account requested.",\n "errors": [\n {\n "message": "1075 : Failed to authenticate. Google account can not access the user profile/account requested.",\n "domain": "global",\n "reason": "authError",\n "location": "Authorization",\n "locationType": "header"\n }\n ]\n }\n}\n',
'uri': 'https://dfareporting.googleapis.com/dfareporting/v4/userprofiles/8641833/accountUserProfiles?alt=json',
'error_details': [
{'message': '1075 : Failed to authenticate. Google account can not access the user profile/account requested.',
'domain': 'global', 'reason': 'authError', 'location': 'Authorization', 'locationType': 'header'}
],
'reason': '1075 : Failed to authenticate. Google account can not access the user profile/account requested.'
}
path_to_service_account_json_file='./local/creds/compute_credentials.json',
impersonation_email=None
):
# Authenticate using the supplied service account credentials
http = authenticate_using_service_account(
path_to_service_account_json_file,
impersonation_email
)
# Construct a service object via the discovery service.
service = discovery.build('dfareporting', 'v4', http=http)
try:
# Construct the request.
# request = service.userProfiles().list()
request = service.accountUserProfiles().list(profileId=8641833)
# request = service.accounts().list(profileId=8641833)
# Execute request and print response.
response = request.execute() # this function throws the 401 error
resp = []
for profile in response['items']:
print('Found user profile with ID %s and user name "%s".' %
(profile['profileId'], profile['userName']))
resp.append({
'profileId': profile['profileId'],
'userName': profile['userName']
})
return resp
except client.AccessTokenRefreshError:
print('The credentials have been revoked or expired, please re-run the '
'application to re-authorize')
// the request variable gets serialized to dict as follows:
{
'uri': 'https://dfareporting.googleapis.com/dfareporting/v4/userprofiles/8641833/accountUserProfiles?alt=json',
'method': 'GET',
'body': None,
'headers': {
'accept': 'application/json',
'accept-encoding': 'gzip, deflate',
'user-agent': '(gzip)',
'x-goog-api-client': 'gdcl/2.83.0 gl-python/3.8.18'},
'methodId': 'dfareporting.accountUserProfiles.list',
'http': '< httplib2.Http object at 0x11010ae50 >',
'postproc': '< bound method BaseModel.response of < googleapiclient.model.JsonModel object at 0x11011fb50 >>',
'resumable': None,
'response_callbacks': [],
'_in_error_state': False,
'body_size': 0, 'resumable_uri': None,
'resumable_progress': 0,
'_rand': "< built - in method random of Random object at 0x155037e10 >"
}
// response
{
'resp': {
'vary': 'Origin, X-Origin, Referer',
'content-type': 'application/json; charset=UTF-8',
'date': 'Mon, 05 May 2025 23:51:54 GMT',
'server': 'ESF',
'x-xss-protection': '0',
'x-frame-options': 'SAMEORIGIN',
'x-content-type-options': 'nosniff',
'alt-svc': 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000',
'transfer-encoding': 'chunked',
'status': '401',
'content-length': '439',
'-content-encoding': 'gzip'
},
'content': b'{\n "error": {\n "code": 401,\n "message": "1075 : Failed to authenticate. Google account can not access the user profile/account requested.",\n "errors": [\n {\n "message": "1075 : Failed to authenticate. Google account can not access the user profile/account requested.",\n "domain": "global",\n "reason": "authError",\n "location": "Authorization",\n "locationType": "header"\n }\n ]\n }\n}\n',
'uri': 'https://dfareporting.googleapis.com/dfareporting/v4/userprofiles/8641833/accountUserProfiles?alt=json',
'error_details': [
{'message': '1075 : Failed to authenticate. Google account can not access the user profile/account requested.',
'domain': 'global', 'reason': 'authError', 'location': 'Authorization', 'locationType': 'header'}
],
'reason': '1075 : Failed to authenticate. Google account can not access the user profile/account requested.'
}
--
You received this message because you are subscribed to the Google Groups "Google's Campaign Manager 360 API Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-doubleclick-for-ad...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-doubleclick-for-advertisers-api/7zX1x000000000000000000000000000000000000000000000SUIXSY00xXjbDThdTPatok8m9dCHjA%40sfdc.net.
DCM API (DoubleClick Campaign Mgr)
May 13, 2025, 4:16:23 PMMay 13
to tsil...@xwf.google.com, google-doubleclick-...@googlegroups.com
Hi,
I’ve checked the DCM account 1079725 and I can see that all the user profiles associated with the above account are capable of making API calls. The error that you’re experiencing is related to the Google account that you are using in making API calls. Thus, could you please verify if you are using an installed application type: other for authentication?
You can check the following links to help you fix the issue:
Thanks,
I’ve checked the DCM account 1079725 and I can see that all the user profiles associated with the above account are capable of making API calls. The error that you’re experiencing is related to the Google account that you are using in making API calls. Thus, could you please verify if you are using an installed application type: other for authentication?
You can check the following links to help you fix the issue:
- https://developers.google.com/doubleclick-advertisers/getting_started#credentials
- https://developers.google.com/doubleclick-advertisers/service_accounts
Thanks,
|
DCM API Team |
Feedback
How was our support today?
[2025-05-13 20:16:13Z GMT] This message is in relation to case "ref:!00D1U01174p.!500Ht01pSYDy:ref" (ADR-00299485)
Bryan Tsiliacos
May 14, 2025, 1:00:40 PMMay 14
to DCM API (DoubleClick Campaign Mgr), google-doubleclick-...@googlegroups.com, rotola.a...@growthloop.com
Hi,
I believe there may be some confusion around the authentication method we’re using for our requests. Cc’ing my colleague Rotola, who is the lead engineer on the project and can provide more context.
Best,
Bryan
DCM API (DoubleClick Campaign Mgr)
May 20, 2025, 3:23:49 PMMay 20
to tsil...@xwf.google.com, google-doubleclick-...@googlegroups.com, rotola.a...@growthloop.com
Hi,
I have raised your concern with the rest of our team and one of my teammates will reach out to you once we have an update. Meanwhile, your patience is appreciated. ,
I have raised your concern with the rest of our team and one of my teammates will reach out to you once we have an update. Meanwhile, your patience is appreciated. ,
Thanks,
Feedback
How was our support today?
|
DCM API Team |
Feedback
How was our support today?
[2025-05-20 19:23:42Z GMT] This message is in relation to case "ref:!00D1U01174p.!500Ht01pSYDy:ref" (ADR-00299485)
DCM API (DoubleClick Campaign Mgr)
Jun 3, 2025, 4:27:58 PMJun 3
to google-doubleclick-...@googlegroups.com, tsil...@xwf.google.com, rotola.a...@growthloop.com
Hi,
After reviewing your concern, we've noticed that your profile doesn't have admin access. Additionally, by looking at your user profile, it appears to be under the "Floodlight Read/Write" user role, which does not have access to user profiles.
Regarding the questions you mentioned, "Is Step 4 getting its own user profile a required workflow step?" if this is indeed a required workflow step, then this user profile needs to be linked to a user role that has at least read-only permission for user profiles.
Thanks,
|
DCM API Team |
Feedback
How was our support today?
[2025-06-03 20:27:51Z GMT] This message is in relation to case "ref:!00D1U01174p.!500Ht01pSYDy:ref" (ADR-00299485)
Reply all
Reply to author
Forward
0 new messages