Thanks. It seems to work now, oddly without even doing credentials.create_delegated (but I may be mistaken, I only tested it briefly in an offline context. In my GAE application, I've switched it to use standard 3-legged OAuth instead of service accounts).
Anyway, if credentials.create_delegated is essential for service accounts with DwD, I would propose making it more obvious in the documentation <https://developers.google.com/identity/protocols/OAuth2ServiceAccount>. I carefully read that page several times and missed it. The way the document hierarchy reads, it looks like it is on the same level as "Google App Engine", "Google Compute Engine", and "Other". So if you are looking for GAE instructions, you may think it doesn't apply to you. I would suggest moving that up one level in the hierarchy so you'd have: 1. Create a Credentials object from the service account's credentials and the scopes your application needs access to. 2. If you have delegated domain-wide access to the service account and you want to impersonate a user account, use thecreate_delegated method of an existing ServiceAccountCredentials object. 3. Use the authorize method of the Credentials object to apply the necessary credential headers to all requests made by an httplib2.Http instance. I would have left this as a comment, but I don't see a way to give documentation feedback on that page. Thanks again, Eric On Tuesday, November 1, 2016 at 11:22:12 AM UTC-4, George (Cloud Platform Support) wrote: > > Hello Eric! > > For your new service accounts, your code imports credentials from a stored > JSON file, which is one of the possible alternatives, all of which should > work well. > > How did you grant domain-wide access to your service account, exactly? > > Did you then implement the OAuth2WebServerFlow as described on the “OAuth > 2.0” page > <https://developers.google.com/api-client-library/python/guide/aaa_oauth>? > > > If you delegated domain-wide access to your service account successfully, > you need to use the "delegated_credentials = credentials. > *create_delegated*('u...@example.org <javascript:>')" statement to > impersonate a user with the service account, as indicated at the “Delegate > domain-wide authority” paragraph on the “Using OAuth 2.0 for Server to > Server Applications” page > <https://developers.google.com/identity/protocols/OAuth2ServiceAccount>. > > I hope this helps for now. I’ll look at your code and try to reproduce the > bug meanwhile, waiting for your reply. > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To post to this group, send email to google-appengine@googlegroups.com. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/f0336a3b-878d-420a-89fb-0b36511c479a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.