google-analyticsgoogle-apigoogle-analytics-apigoogle-api-client

Google Analytics API: "User does not have sufficient permissions for this account."


I'm writing a Ruby app that accesses the Google Analytics API to pull down some experiment information.

The app connects and authenticates using a Google Service Account via the following function:

def connect
  ...
  @@client = Google::APIClient.new(:application_name => 'My Service App', 
                                    :application_version => '1.0.0')
  key_file = Rails.root.join('config', 'privatekey.p12').to_s
  key_secret = 'somesecret'
  key = Google::APIClient::PKCS12.load_key(key_file, key_secret)
  asserter = Google::APIClient::JWTAsserter.new(
    SECRETS[:google_service_account_email],
    ['https://www.googleapis.com/auth/yt-analytics.readonly',
     'https://www.googleapis.com/auth/analytics.readonly'
    ],
    key
  )
  @@client.authorization = asserter.authorize()
  ...
end

...which authenticates and discovers both APIs without issue.

Using the client against the YouTube Analytics API works without issue. Using the same exact account to access the Analytics API via...

response = @@client.execute({
  # 'analytics is the API object retrieved via discover_api()
  :api_method => analytics.management.experiments.list, 
  :parameters => {
    'accountId' => 'AAAAAAAA',
    'profileId' => 'PPPPPPPP',
    'webPropertyId' => 'UA-WWWWWWWW-#'
  }
})

Results in a 403 error response:

{"domain":"global","reason":"insufficientPermissions","message":"User does not have sufficient permissions for this account."}

In regards to authorization, I have double-checked the account service@myapp.com:

Given that the service account can access at least one API (YouTube Analytics), and the associated account (service@myapp.com) can access the Analytics web interface, there seems to be something wrong with the service account accessing the Analytics API in particular.

Any ideas?

Similar topics:


Solution

  • Make sure you give the service account email (something like 1234567890@developer.gserviceaccount.com) permissions to read/write from your GA view.

    Admin > View > User Management > "Add permissions for:"