pythongoogle-apiauthorizationgoogle-api-python-clientgoogle-my-business-api

unauthorized_client error when trying to impersonate an account


On Google Business Profile API (Google MyBusiness), I am getting following error when I try to impersonate with an email address:

('unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.', {'error': 'unauthorized_client', 'error_description': 'Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.'})

I am trying to achieve this using a Python script which is using Google API Client Library:

file_location = '/some/folder/file.json'
impersonated_email = 'abc@abc.com'
scope = ["https://www.googleapis.com/auth/business.manage"]

credentials = ServiceCredentials.from_service_account_file(file_location, scopes=scope, subject=impersonated_email)

If I try to access the endpoint without using the subject parameter, it is working. But of course the main purpose here is impersonating. And the Google documentation says it is possible to impersonate with the subject parameter (or via with_subject function).

By the way, if I tried some invalid mail address, my error is changing to: ('invalid_grant: Invalid email or User ID', {'error': 'invalid_grant', 'error_description': 'Invalid email or User ID'})

So I assume that I can get the user credentials; but have no idea what could have been wrong.

Does anybody have any idea about the issue? What could be the possible issues?


Solution

  • Well, Google explains that JWT error code like that:

    error field: unauthorized_client

    error_description field: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.

    Meaning:

    A service account was authorized using the client email address rather than the client ID (numeric) in the Admin console.

    How to resolve:

    In the Domain-wide delegation page in the Admin console, remove the client, and re-add it with the numeric ID.

    I tried that but I still got the error.

    Then, after some digging; I saw that you only can impersonate G-Suite accounts.

    So, after that I tried same code with another real-person mail which is a G-Suite account and it worked.