I am developing a web-based application using Google API. I am using server-to-server which is obviously with a service account. I am almost done.
I can now insert new users through Google api. I can even create and/or give newly created users access to a Team Drive through Google API. Meaning, I have a service-account that can impersonate all domain users.
The Problem:
But why am I getting errors when trying to impersonate a user through Gmail API? I need to add Gmail Labels and Filters to newly created users but I am getting an error message stating "Deligation denied". Am I missing something?
Obviously I have a working service-account settings already with proper scopes in G Suite. I guess userID "me" is not an option since my application needs to impersonate a newly created G Suite user. Please correct me if I am wrong.
$service = new \Google_Service_Gmail($this->client($scopes));
$serviceLabel = new \Google_Service_Gmail_Label();
$serviceLabel->setLabelListVisibility('labelShow');
$serviceLabel->setMessageListVisibility('show');
$serviceLabel->setName($label_name);
try {
$resp = $service->users_labels->create($email, $serviceLabel);
} catch (Google_Service_Exception $e) {
return false;
}
Here is the error I am getting
{#398 ▼
+"statusCode": 403
+"errors": array:1 [▼
0 => array:3 [▼
"domain" => "global"
"reason" => "forbidden"
"message" => "Delegation denied for service-account-user#domain.com"
]
]
+"message": """
{
"error": {
"errors": [
{
"domain": "global",
"reason": "forbidden",
"message": "Delegation denied for service-account-user#domain.com"
}
],
"code": 403,
"message": "Delegation denied for service-account-user#domain.com"
}
}
"""
}
A Gmail Label is expected to be added automatically for each user being created through the application.
Related
I tried to connect this package and I follow all the steps
https://github.com/spatie/laravel-analytics#how-to-obtain-the-credentials-to-communicate-with-google-analytics
I keep getting this error:
Google_Service_Exception
{ "error": { "code": 403, "message": "User does not have sufficient permissions for this profile.", "errors": [ { "message": "User does not have sufficient permissions for this profile.", "domain": "global", "reason": "insufficientPermissions" } ] } }
I use the Account Settings / Account Id
my account id have 9 number no letters
The error talks about Profile not Account, so you need to use View ID instead Account ID.
On my file analytics.php
return [
/*
* The view id of which you want to display data.
*/
'view_id' => env('ANALYTICS_VIEW_ID'),
I change the
'view_id' => 11111111,
I put the direct number
you need to hit : https://analytics.google.com/analytics/web/#/usersettings then search All website data(XXXXXXXXX) and past it in view ID
I have dug through most of stackoverflow posts to find an answer but still unable to solve this problem. This is just a simple matter of authing into the gmail api but I want to do it in a server so I need to follow the server-server (OAuth2.0 2 legged procedure). Anyways
I have gone through all the oauth docs in google api .
This one is spot on but it does no good.
https://developers.google.com/gmail/api/auth/web-server.
I have a service account and I do have the creds file.
here is my code snippet.
def call_gmail():
SCOPES = ['https://www.googleapis.com/auth/gmail.readonly']
SERVICE_ACCOUNT_FILE = '<creds_file>'
credentials = service_account.Credentials.from_service_account_file(
SERVICE_ACCOUNT_FILE, scopes=SCOPES)
print(credentials)
service = build('gmail', 'v1', credentials=credentials)
messages = ListMessagesMatchingQuery(service, "me", "<Some email address>")
message_id = messages[0]['id']
I keep getting this error:
An error occurred: <HttpError 400 when requesting https://www.googleapis.com/gmail/v1/users/me/history?startHistoryId=2547406&alt=json returned "Bad Request">
"error": {
"errors": [
{
"domain": "global",
"reason": "required",
"message": "Login Required",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Login Required"
}
}
Would be very grateful if someone can help me solve this. thanks.
The gmail api only works with service accounts if its a Gsuite account and you have set up domain-wide delegation. Contact your Gsuite admin and make sure that they have setup delegation properly.
delegating authority
I am trying to programatically access a calendar I own using the Google Calendar API list:
r = requests.get(
url="https://www.googleapis.com/calendar/v3/calendars/<the ID of my calendar which looks like mydomain_randomstuff#group.calendar.google.com>/events",
params={
'key': <the key from the API console>,
'singleEvents': True,
'orderBy': 'startTime'
}
This call fails with a 404:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "notFound",
"message": "Not Found"
}
],
"code": 404,
"message": "Not Found"
}
}
What does that error actually mean, in the context of this API?
Note:
the calendar does exist and it has events
the API limits are not even close to be reached
{
"error": {
"errors": [
{
"domain": "global",
"reason": "notFound",
"message": "Not Found"
}
],
"code": 404,
"message": "Not Found"
}
}
Can mean one of two things. Either the calendar Id you have typed is in correct or the user who you are authenticated with does not have access to that calendar. Make sure you are logging in with the correct user with access to that calendar. Optionally you can do a calendar.list which will return a list of the calendars that the user currently has access to. That way you wont have to worry about possibly miss typing the calendar id.
authorization
The method you are using events.list requires authorization (permission from the user) in order to access their calendar. Which can be seen in the documentation page
You need to authncate your user using Oauth2 and one of the scopes above. You will then have an access token you can use to access this calendar.
apikey
Api keys are used for accessing public data. Unless your calendar is set to public you will not be able to use it to see events. Also remember that api keys do not have access to update public calendars you still need to be authenticated to make changes to them.
Service account
If this is a server to server application you should use a service account not an API key. All you need to do is add the service account as a user on the google calendar like you would any other user. It will then have access to your calendar.
I am using google drive api v3. I can login using this api and can view and search all the folders in my drive. But I am not able to create a folder in my drive using the drive api. It shows error of "code:403 - Insufficient Permission".
My Code:
$fileMetadata = new Google_Service_Drive_DriveFile(array(
'title' => 'Invoices',
'mimeType' => 'application/vnd.google-apps.folder'));
$file = $drive->files->create($fileMetadata, array(
'mimeType' => 'application/vnd.google-apps.folder'));
printf("Folder ID: %s\n", $file->id);
Error:
Fatal error: Uncaught Google_Service_Exception: { "error": { "errors": [ { "domain": "global", "reason": "insufficientPermissions", "message": "Insufficient Permission" } ], "code": 403, "message": "Insufficient Permission" } }
Please help me with this...
It means that you don't have write access to the file and the app is trying to modify that file.
Here is a reference of your error.
Suggested action: Report to the user that there is a need to ask for
those permissions in order to update the file. You may also want to
check user access levels in the metadata retrieved by files.get and
use that to change your UI to a read only UI.
To create permission, here is a reference to create permission for a file.
Upon the request, you also need authorization with at least one of the following scopes (read more about authentication and authorization).
Hope it helps.
Hi am trying to build an app to standardized signatures of all users in my google domain.
For that I have tried with following Google APIs in apis explorer
https://developers.google.com/apis-explorer/?hl=en_US#p/gmail/v1/gmail.users.settings.sendAs.patch
and pass other user's Id and email with custom signature but it's giving me following error
REQUEST
<pre>
PATCH https://www.googleapis.com/gmail/v1/users/[21_DIGIT_USER_ID]/settings/sendAs/[SOME_OTHER_USER#DOMAIN.COM]?fields=signature&key={YOUR_API_KEY}
{
"signature": "my custom signature"
}
</pre>
RESPONSE
<pre>
403 Forbidden
- Show headers -
{
"error": {
"errors": [
{
"domain": "global",
"reason": "forbidden",
"message": "Delegation denied for myemailid#mydomain.com"
}
],
"code": 403,
"message": "Delegation denied for myemailid#mydomain.com"
}
}
</pre>
Although I have delegated admin access and I am able to change my user's signature by passing me in userId field and email id in sendAsEmail.
What's the use of userId field if an delegated admin can't change other user's signature.