I am trying to create a simple node app and I using service account to automate the OAuth Flow. While am able to successfully do this, am not able to retrieve the report from Google Analytics using this service account. I get the following error message,
{
"error": {
"code": 403,
"message": "User does not have any Google Analytics account.",
"status": "PERMISSION_DENIED"
}
}
I can't add this service account to the Analytics account as my owner account (under which I created this service account) has only read-only access. So how do I proceed? How can I grant this service account the same read-only access as my owner account? When I login into Google Analytics using my owner account, I am not able to perform any User Management as it has limited access.
Please help me on how to proceed here.
Thanks
If using a service account, there is no way to proceed other than finding someone with user management permissions and have him add the account.
It is hard to see why you would expect it to be otherwise; the purpose of the permission system is to prevent unauthorized access, and it would do a pretty poor job if it suddenly allowed you to exceed your privileges by adding a user.
As per the answer from Eike, you cannot add a Service Account if you lack the permissions to do so.
There is an alternative approach which allows you to use your own account, i.e. no service accounts anywhere. This basically involves you obtaining a Refresh Token, and using that to authenticate your access. You can follow the steps at How do I authorise an app (web or installed) without user intervention? (canonical ?) to do this.
Related
I am using Google Analytics 4. I have created the json file for the service account, and got the email address. This email was added to my users as Admin in the Account Access Management, yet I am still getting the error that I do not have sufficient permissions for this profile.
Any idea what am I doing wrong please?
I have hundreds of individual analytics accounts right now which I would like to have API access to. Normally, you can just go to the admin page of an account and give access to the service account by entering the service account email. The problem I am having is that I have hundreds of accounts. I'd really not like to add my service email to each account manually. Is there a way I can have access to each analytics account through API without manually entering my email under each account?
This probably isn't helpful...but if you have someone that can work with python/selenium or Winautomation, this would be a straightforward task.
The only way is through a google account that already has access to all the analytics accounts that interest you.
Hi generated secret file using OAuth 2.0 client ID. In that secret file, I do not see any google mail address to authenticate or access permissions to that mail address. Still facing below error.
Arg, there was an API error : 403 : User does not have sufficient permissions for this profile.
How come I know, to which user, we do not have sufficient previliges?
Please help me with this
You have created an Oauth2 client for use with your application. When the application runs a user will need to login using their Google account and grant the application (client) access to their data. I have an article that explains how google oauth2 works if you are interested. Oauth2 for beginners
User does not have sufficient permissions for this profile.
Means that the user you have authenticated with does not have access to the Google Analytics profile you are trying to request data form. Try doing an Accountsummires.list this will return a list of the Google Analytics accounts that the current authenticated user has access to and the ones you will be able to request data from.
Question: How come I know, to which user, we do not have sufficient privileges?
You have a profile id you are trying to access find someone who has access to that profile and have them run your application. When they have logged in and authenticated they will be able to see the data.
I'm trying to get a list of groups for a domain in Google Api (https://developers.google.com/admin-sdk/directory/v1/reference/groups/list).
I'm using "domain wide delegation", and have a service account from which the web app makes all its requests to Google.
The admin-sdk requires the requesting user to be an administrator, so i'm impersonating a admin user on the given domain.
This works fine with (https://developers.google.com/admin-sdk/directory/v1/reference/users/get), but when I'm trying to use the group api, it fails like this:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "forbidden",
"message": "Not Authorized to access this resource/api"
}
],
"code": 403,
"message": "Not Authorized to access this resource/api"
}
}
I have checked the the permissions from the domain administrator have been delegated to the service account. And I have also checked that i can access the list of groups, while being logged in as the domain administrator.
Any help or hints is highly appreciated.
Thanks in advance
You will need to add the scope for reading groups.
First, make sure that you properly followed the steps here in this documentation including this steps on how to Instantiate an Admin SDK Directory service object.
It is important because this one shows you how to make API requests using OAuth 2.0 and your service account's credentials to perform Google Apps Domain-wide delegation.
For more information, check these related SO questions:
Google_Service_Directory - (403) Not Authorized to access this resource/api
Received error “Not Authorized to access this resource/api” when trying to use Google Directory API and Service Account Authentication
I want to be able to access other users Google Calendars through a service account so I am not prompted for authorization. I am doing this in a simple .net c# console app. When I attempt to create my credentials in the Google API Manager, it gives me the following alert when I specify I am using a non UI app and I want to access User Data. Isn't the purpose of using the service account to access other users data without a UI?
"User data cannot be accessed from a platform without a UI because it requires user interaction for sign-in."
You may have misunderstood the meaning of using a service account to impersonate a user. To help you with Authentication, you might want to check this tutorial : Google Calendar API Authentication with C# by Daimto.
Things to take note of :
To be able to access other calendars by service account, users who own the calendar should share it to the service account.
To impersonate a user, you must know the email address.
From the tutorial:
If you are only accessing data that you own there is no reason to ask a user for permission to access it. You can use a Service account. (Privacy)
If you want to be able to access data owned by someone else you will need to be authenticated.
Hope this helps!