I am trying to use the Google Play Developer API to automate APK submissions via a Service Account.
The question is, how do I give my project (and my service account) OUTSIDE of this play account, API access to manage apps?
Use case and example:
Each of my clients have their own Google Play account where their app(s) live. Apps used to be all in one big account, but for many reasons (Google pushing to separate being the highest) they are now broken up.
Lets say there are 2 google play accounts, A and B. Traditionally, each of these accounts grant my physical email user (me#gmail.com) "Release manager" access to each of their accounts. My email/user is OUTSIDE of account A and B. This works fine.
I now want to automate this process. I go to the developer API console for me#gmail.com, enable "Google Play Android Developer API" and create an oAuth2 service account (gives it an email of blah#developer.gserviceaccount.com). I then tell clients to go into accounts (A and B) and tell them to give blah#developer.gserviceaccount.com "Release manager" access.
I make an API call and get
The project id used to call the Google Play Developer API has not been linked in the Google Play Developer Console
API calls do work if I go into account A and account B under Google Play Developer Console > Settings > API access, and make Services accounts for each. It makes an entry in "User accounts & Rights" for this service user's email, then links a SINGLE project ID that MUST be owned by the Google play account.
Questions:
How do I add a service account that is NOT defined in Settings > API access?
Why is there only ability to link 1 project?
You can give outside email addresses full perms, but you can NOT give an outside service account email API access? The current design is not any more secure. In fact, it seems to go against most of the benefit of the API, and against the grain of account isolation that Google has been pushing.
Related
I have a server-side application that needs to access every user's gmail data in a google workspace organization. I want to publish a public listing on the google workspace marketplace that is installable domain-wide by the super admin user and gives the server-side application the permissions to access the gmail data of the user's in that domain.
From my current understanding, we need a service account with impersonation to access each user's data. On top of that the service account needs to be delegated domain-wide authority, so that user's do not need to give individual OAuth consent or their passwords.
When publishing the app using the marketplace SDK I see that there is a field for service account credentials:
I see that the current Marketplace SDK has a field that accepts service account credentials.
But when my app is published and I install it and go to check the app's data access. I can only see fields for the scopes and the Oauth clients.
My questions:
Are the service accounts created in the marketplace SDK usable to the organization that installs my marketplace app? Will the service account's have the same email and unique id for everyone who installs the public listed app?
If (1) is not true, then how is it possible for admins to create a service account for my marketplace app?
If (1) is true, is it automatically granted access unlike the OAuth clients and scopes?
If (1) is true, Are the service accounts automatically delegated domain-wide on install or do we have to provide the person who installed the marketplace app with the service accounts unique ids so they can manually delegate the scopes domain-wide.
I reviewed some Google public documentations related to Service Account & here’s what I have found that may answer your questions:
Question 1
Are the service accounts created in the marketplace SDK usable to the organization that installs my marketplace app?
Answer
No
Note: The CREDENTIALS tab that you see on the Google Workspace Marketplace SDK page is only an overview of credentials you have created for the GCP Project & NOT necessarily only for that service/API.
Service Accounts are created within a specific GCP Project & that project is where you will enable the Google APIs/Services that your application needs. Google Workspace Marketplace SDK is being described as:
“A toolkit that lets you create and control your app listing on the Google Workspace Marketplace, or for Chat apps, in Google Chat.” (Source)
So, this Google Workspace Marketplace SDK doesn’t necessarily use a Service Account to authenticate & be called in your app. However, when you setup a Service Account for your app, you'll need to create a Google Workspace Marketplace OAuth Client & this OAuth Client is associated to that Service Account. This is needed to support Google Workspace Marketplace domain-wide installation.
Setting up the Google Workspace Marketplace OAuth Client from the GCP console:
Follow-up Question
Will the service account's have the same email and unique id for everyone who installs the public listed app?
Answer
Yes. In theory, it should be.
Question 2
If (1) is not true, then how is it possible for admins to create a service account for my marketplace app?
Answer
You have to review the official Google documentation for OAuth & Service account.
Based on the official documentation, this is the overview:
Create a service account for your project
Delegate domain-wide access to the service account
Your application prepares to make authorized API calls using the service account's credentials. (This is regardless of how many users install & use your app)
That API call will request an access token from the OAuth 2.0 auth server.
Your application will then be able to use the access token to call Google APIs (which in your case uses Gmail API).
I'm developing a service that requires access to the Google Play Developer API on behalf of my users.
I created an API project of type Web Application. It can successfully request the users' androidpublisher permission using an OAuth consent screen. Based on the documentation, it should be able to make requests to the Google Play Developer API.
But requests to the API fail with the following error:
The project id used to call the Google Play Developer API has not been linked in the Google Play Developer Console.
From my understanding, the API Project needs to be linked to the Google Publisher Account from the Console (Settings -> API access -> Linked projects). However, the project doesn't appear in the list (since it's not owned by the user).
Is there any solution to this? Thanks!
There is not a solution to this. The only model the console supports for acting on behalf of developer users is for them to create the project in the Play Console, and you provide them a tool that they can use on their project.
I am trying to access Google play developer API https://developers.google.com/android-publisher/ to build an inapp purchase product for my company Application.
We have to get authorization to make a GET call to the Google play developer API. https://developers.google.com/android-publisher/api-ref/purchases/subscriptions/get
I followed the steps presented here. https://developers.google.com/android-publisher/authorization
Created an Oauth client and and also service account. The gmail account I used was part of the 'Users and permissions' in play.google.com console.
But when I tried to access the API, I got an error
As I started searching about this error, I understood that there is something else called 'API Access' in play.google.com. When I tried to access it, All I saw was
But I saw in other posts that there exists a screen with details like
https://i.stack.imgur.com/Hdjjy.png
So how can I go forward to access API. I did everything as mentioned in documentation of google but it didnt work. Also I dont have access to see the screen of 'API Access'.
Also I am confused, if you can create service accounts from both 'API Access' screen and also from 'credentials' screen in console.developers.com, which one should be used ?
Just to check you understand there are a few different APIs to do with in-app purchases.
Play billing library is designed to be used in your app. This is what allows users to buy things from your app
Configuring in app products. When your app supports in-app products you have to support what the products are and the prices. This is done via the Play console, either manually or in batches uploading CSV files.
Finally is the API you refer to in your question. This is not designed for use in your app, and you don't have to use it to support in-app products. Instead this API allows your server (not app) to validate a user's purchase. In order to use this API, you need to enable the "API access" in the page you found. This can only be enabled by the account owner for the Play console, for security reasons. You will need to find the Owner of your Google Play account, and get them to log in and create a service account which has API access.
I am able to access it now. I am not the owner of the Google Play console.That was the issue. You just have to go to API Access page and click on "create OAuth Client" or "create Service Account ".
You can use those credentials to access API from postman or through your code.
I am just getting started with the google classroom api. I signed up for the developer test accounts and have 1 teacher account and 2 student accounts. I created a couple of classes and enrolled the 2 students in the classes. I want to use the api either via .NEt or Javascript. The prerequisuites state that I need a Google Apps for EDU account with Google Classroom enabled. How do I get this? Also, I assume without having the Google Apps for EDU account I cannot perform the first step:
"a) Use this wizard to create or select a project in the Google Developers Console and automatically turn on the API. Click Continue, then Go to credentials."
When I perform this step when logged in under the teacher account I get an error:
Error
"Developers Console has not been activated for your account. Your account may be suspended or disabled. If you are a Google Apps user, ask your domain administrator to enable Apphosting Admin on your account."
To obtain a Google Apps for Education account, you have to register your domain (or buy one), and fill up this form.
When filling the form, you will get information about the requirements needed to get the account.
To create a project in the Developer Console, you can do it even from your gmail account. After you created the project, you can enable the Classroom API so you application can access it.
When you run the code, you will have to login with a valid account (teacher or student). If you try to access the API with an invalid account you will get an error.
You can also use the Classroom API methods in the documentation. For example the resource curses.list has a "try it" section, where you can try the API before creating any project. There you can see how it works.
I have created an app in the Google Apps Marketplace SDK and now I have the "Test Install Flow" button, which is fine,. however, when I click it, a popup for business account signup appears and asks me to set up a real Google business account. How can I simply test it with the same developer account I have?
Had the same issue. It occurs when you first log in to Google with a non-Google Apps account (like a free Gmail account), after which Google Apps accounts are added (i.e. are logged in).
As Ben Clifford suggests in comments, one needs to be signed in first with a Google Apps account (after logging out completely). As a best practice, use Google Apps accounts in one web browser, and free Gmail account(s) in a different browser - to avoid further issues.
You have to test it with a Google Apps account. Apparently yours is not one of those, so they're asking you to sign up. If you have a different Google account that has Google Apps already, you can add that account to the project in Permissions -> Add Member, and then use "Test Install Flow" while logged in as that other account.