I am using Google Web master tools API v3 for Search Analytics. I am using Service Account to retrieve the analytics. I received following message.
(403) User does not have sufficient permission for site 'http://www.1800medexpress.com/'. See also: https://support.google.com/webmasters/answer/2451999.'
I added Service Account Email address also to the Web Master tools as owner. But still received same error.
I used PHP API Library.
I haven't tried but this should work.
In Webmaster tools for the website in question. upper right hand corner there is a cogwheel click on it go to Users and Property Owners click add a new user button add your service account email address.
Then try and run your code.
Service accounts need to be granted access to the data just like you would any other user by default they don't have access to your data.
Update:
By checking the documentation we can see that it is in fact possible to use a Service account with webmaster tools api it just needs to be set up properly. It may be an issue with your code or how you have set it up. Clod should probably be simlar to this. Service account with Google Calendar
A service account is used in an application that calls APIs on behalf
of an application that does not access user information. This type of
application needs to prove its own identity, but it does not need a
user to authorize requests. The Google Accounts documentation contains
more details about service accounts.
Related
My aim is it to write a php script that query all events from an existing google calendar of one specific google account.
The default scripts to do this works fine.
At the moment it works so: Request my php script --> it recognizes that is has no $_GET['code'] parameter --> redirect the browser to google for login --> after login google redirects back to my php script --> and the query on the calendar can be done
But what i want to do now: is that my php script performs the login into this specific google account with the username and password. I have and my script shell retrieve the $_GET['code'] parameter without any user interaction.
I have already spent lots of hours researching and testing but i have not found any solution yet.
Is that even possible? If it is there a way to pass these login datails (username and password) within the request to google authendication to the two-step login form?
In this thread is an hint to use service-accounts: Fatal error: Class 'Google_Auth_AssertionCredentials' not found
but i have not figured out how to do this.
Thanks in advance.
Logging in to a google account using username and password i was called client login. Google shut this down in 2015.
This is no longer an option. If you want to access private user data you need to use Oauth2 and request authorization as you are doing currently.
service accounts
Note: to clarify #CBroe statement in comments.
Service accounts only work with google calendar if you are using a google workspace domain accounts. You would need to configure domain wide delegation and set up the service account to impersonate a user on the domain.
For standard Gmail user accounts service accounts are not possible with google calendar api.
Finally i made it with a payd google workspace subscription.
At the moment i am not able to reconstruct all the steps but i can give a few hints and ressources that helped me.
Here is an official example for the usage of a service account:
https://github.com/googleapis/google-api-php-client/blob/main/examples/service-account.php
The templates/base.php file was not part of my composer installation so i had to deploy it myself. It also was necessary to adjust the path to my service-account-credentials-json-file.
Here is another thread about the same topic with some really good explanations:
Inserting Google Calendar Entries with Service Account
And then only thing that was missing in my configuration:
In the calendar settings i had to add the service accound id (with the # in it) to grant access to this service account.
For better understanding of the backgrounds i also refer to the comments in this thread.
Another hint: In the google workspace account i had to validate my domain and recreate the project with its credentials and service account.
I have created my service account, following the Google documentation as best I can. I created a JSON Key File and have used it successfully to create and refresh my access token, but when I try to call the Google Ads API using that access token I get a 401 with the message "User in the cookie is not a valid Ads user."
I am using a PHP cURL request, not the Google Client library.
My suspicion is that I have something set up incorrectly somewhere between the Master Ad account, the service account and the project in the Google Cloud Console, but I am finding the documentation confusing and unhelpful.
I submitted a question to the Google Ads API google group, and the support person said that my setup looked OK, but also admitted that he cannot see all of it from his end.
I have created the following pieces of the puzzle:
Google Ads Master Account
Developer Token
Project in Google Cloud Console
Service Account in Project
Private Key for Service Account
Set email of Master Ads Account to role of Owner of Service Account
Enabled Domain-Wide Delegation for the Service Account with scope "https://www.googleapis.com/auth/adwords"
Requested and received Access Token with the private key in the JSON file
Please let me know what extra details I should provide to get my issue resolved. Thanks in advance.
My error was that when I created my Access Token, I passed the Gmail account that owns the Google Ads Manager Account to the parameter $sub, but to access Google Ads API the Service Account must impersonate a user in the domain that is registered with the Google Workspace. This point is made in the documentation, but is rather understated.
To fix the issue I granted access to the Google Ads Manager Account to an email account in the Workspace domain, and passed that email address to $sub; now I have made a successful test call to the Google Ads API.
I attach an anonymized summary of my configuration in case it helps anyone who might be reading this in the future.
I've followed the google analytics tutorial and created a PHP file with and added service key. But now I get this error:
User does not have any Google Analytics account
For the website where I'm given the access to view the traffic data for, I'm not given access to add new user. But my email(gmail) already added to their google analytics and I have access.
I did research online and came across this: Analytics Google API Error 403: “User does not have any Google Analytics Account”
Here They ask to add the email created upon the service key generation into the google analytics platform. Since I don't have access to add new user I couldn't do this.
What is the correct way for me to read the data?
User does not have any Google Analytics account
Means exactly that. The user you are authenticating does not have access to any google analytics accounts. You need to remember that a service account is not you. A service account is like a dummy user. It has its on google drive account, Google calendar account and probably a bunch more.
Service accounts need to be pre approved this is why you dont get the normal pop up Oauth2 consent screen.
To do this you go to the google analtyics website under the admin section for the account you wish to access using the service account. At the account level take the service account email address and grant it access like you would any other user.
It will then have access to read from your Google analytics account.
Looks like you need access the analytics API but instead, you were just given access to the Google Analytics tool.
For you to use the google analytics api, you need to create a service account and ask your admin to add the service account to GA, just like how they added your account to GA.
detailed documentation
My boss registered an Google Analytics account and shared his website Analytics account with me.
Now I have the authority to see all data about the website. I want to use the Google Analytics API to request data from Google Analytics with my php script.
Authorization is done without any problems, until the script tries to access data. The return code is 403, and error message is :
User does not have any Google Analytics account。
This will depend on what method of authentication you are using.
Oauth2:
When your PHP script pops up and asks a user to authenticate the Google account the user users to authenticate must have access to a Google analytics account. In this case it doesn't. Note: the user is only going to be able to see there own Google Analytics data not date for your website unless your boss goes and grants them access as well.
service account:
In the event you are using a service account to authenticate. The service account by default doesn't have access to any Google Analytics accounts you need to grant it access just like your boss granted you access. Take the service account email address from Google Developer console and add it at the ACCOUNT level it must be the ACCOUNT level to the Google Analytics website. then the service account will have access to the data for that account.
I have created a server side application in PHP that's supposed to work with Google Spreadsheets.
I'm able to authenticate successfully with OAuth 2.0 authentication, but when requesting the list of the spreadsheets from Google, I only get the spreadsheets shared with the service account by the spreadsheet owner.
Is there a way that service account could retrieve all the spreadsheets owned by my main account not the service one, including those not explicitly shared with the service account?
Also I still want to keep the spreadsheets private so noone can access them without my permission, but I need the service account to have full access to both existing and new spreadsheets.
Any advice is appreciated.
Here is a sample script that uses a service account to read the contents of a Google Spreadsheet's sheet. Have a look at the README for instructions to set it up:
https://github.com/juampynr/google-spreadsheet-reader
You have to change approach:
Create a service account in Drive. You can manage and use this account only with the API (not with the web interface as usually)
With the Drive API you can list, create, update, delete and change the permissions of the files. When you create a new file, you can share it - always with API - to the users you want, make the new file public or change the ownership.
Please take a look: https://developers.google.com/drive/v2/reference/permissions
I am assuming you use Google Apps and not a personal GMail account. You can use your service account to impersonate your main account.
Note that here I am talking of a service account in the way Google means it : a private key (in p12 format) and an identifier. This is not a Google Apps account used for technical purposes. More information here.
This is done by :
Authorizing your service account on your Google Apps domain
Modify the code you use to generate the API credentials
The steps are exactly the same for the Spreadsheet API and for the Drive API.
To first authorize your service account to impersonate the domain users, you can follow this documentation. Here are the basic steps. You must be a domain super administrator to perform this task.
Go to your Google Apps domain’s Admin console : https://admin.google.com
Select Security from the list of controls. If you don't see Security listed, select More
controls from the gray bar at the bottom of the page, then select
Security from the list of controls.
Select Advanced settings from
the list of options.
Select Manage third party OAuth Client access
in the Authentication section.
In the Client name field enter the
service account's Client ID. In the One or More API Scopes field
enter the list of scopes that your application should be granted
access to. In your case that would be at least the Spreadsheet API scope : https://spreadsheets.google.com/feeds
When this is done, you need to update your code so that it impersonates your main account :
$key = file_get_contents($SERVICE_ACCOUNT_PKCS12_FILE_PATH);
$auth = new Google_AssertionCredentials(
'YOUR_SERVICE_ACCOUNT_EMAIL',
array('https://spreadsheets.google.com/feeds'),
$key);
$auth->sub = 'yourmainaccount#domain.com';
You can then use the $authvariable to generate the OAuth tokens you need to access the spreadsheet API. I am not sure which client you use for this so the way you inject the access token will depend on which client you use.
Also, note that this token will expire after 1 hour, and then the API will start returning Session Expired errors. If your client does not handle this automatically, you will need to catch the error and regenerate the token.