Hello,
Service account authorization can only be used if your AdWords account is on a google apps domain. In all other cases, please use application or web flows. -Danial, AdWords API Team. On Friday, December 13, 2013 2:25:42 AM UTC+4, leig...@verticalbrands.com wrote: > > I am already using a Service Account to connect to Google Analytics and > get information. > For the Analytics API the key step was adding the service account's email > address to our analytics account. > I have a feeling I'm missing the equivalent setup step for Adwords, but > the available documentation is of little help, just like when I was trying > to figure out analytics. > Developers everywhere would be grateful if Google improved and updated > their api documentation. It really isn't that hard to tell that they need > to add the service account email address to analytics if they want it to > work as advertised. > > Anyways, I have followed all the the documented steps to get a Google > Service Account access to the Adwords API for our MCC account: > https://developers.google.com/adwords/api/docs/guides/service-accounts > > In detail this is what I have done so far: > > - I have an approved developer token for my company's MCC account > (850-XXX-XXXX) > - The domain administrator for my domain (verticalbrands.com) has > enabled impersonation abilities for my service account's client id for the > api scope https://adwords.google.com/api/adwords > - I am using the official Google Adwords API Client for Ruby: > https://github.com/googleads/google-api-ads-ruby > - I am instatiating the API object as such (anonymized of course): > > @adwords_client = AdwordsApi::Api.new({ > authentication: { > method: 'OAUTH2_JWT', > oauth2_issuer: 'xx...@developer.gserviceaccount.com <javascript:> > ', > oauth2_secret: 'notasecret', > oauth2_keyfile: key_filename, #I'm sure the key location is > correct, as it works for analytics > oauth2_prn: 'xx...@verticalbrands.com <javascript:>', # This > email address is connected to an Adwords account under the MCC umbrella > with the approved dev token > developer_token: developer_token, # This is the approved developer > token. > client_customer_id: '850-882-XXXX', > user_agent: 'KPI Metrics' > }, > service: { > environment: 'PRODUCTION' > }, > connection: { > enable_gzip: false > }, > library: { > log_level: 'DEBUG' > } > }) > > According to the docs, I should be able to impersonate any user in my > domain (verticalbrands.com) for access to the api with this configuration > and an approved developer token. > The authorization seems to succeed. Calling authorize on the client object > yields: > {:access_token=>"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", > :issued_at=>2013-12-12 13:44:40 -0800, > :expires_in=>3600, > :id_token=>nil} > > However, every request I send gets the same error: > AdwordsApi::Errors::ReportXmlError: HTTP code: 400, error type: > 'AuthorizationError.USER_PERMISSION_DENIED', trigger: '<null>', field path: > '' > > Besides the obvious question of: why aren't the docs complete enough to > get a request to work from a Service Account? > I have more pointed questions: > > 1. The MCC account is for a different domain (realtynation.com). Do I > need to impersonate the MCC account email address ( > xx...@realtynation.com <javascript:>) instead of the actual adwords > account I'm interested in (xx...@verticalbrands.com <javascript:>)? > 2. Is the Domain mismatch between the two email addresses causing this > issue? > 3. In the Account Access settings page, it indicates that the > xx...@verticalbrands.com <javascript:> email address has > "Administrative Access' but the xx...@realtynation.com > <javascript:>address has 'User > interface and API' access. > Does 'Administrative Access' not include API access? If so, does this > mean I MUST impersonate an account that has API access specifically? If > so, > why isn't this anywhere in the documentation? > 4. Do I need to add the Service Account's email address to one of the > Adwords account? If so, how do I get to the verification email for a > Service Account? > > > > > > > > > > > > -- -- =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ Also find us on our blog and discussion group: http://googleadsdeveloper.blogspot.com http://groups.google.com/group/adwords-api =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ You received this message because you are subscribed to the Google Groups "AdWords API Forum" group. To post to this group, send email to adwords-api@googlegroups.com To unsubscribe from this group, send email to adwords-api+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/adwords-api?hl=en --- You received this message because you are subscribed to the Google Groups "AdWords API Forum" group. To unsubscribe from this group and stop receiving emails from it, send an email to adwords-api+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
