Google Adwords API error: invalid grant

Question

I'm receiving this error trying to authenticate with the Adwords API using a service account and JWT with the Ruby API library.

I am copying the example provided, but it just doesn't seem to work.

/home/michael/.rvm/gems/ruby-2.1.2/gems/signet-0.5.1/lib/signet/oauth_2/client.rb:941:in `fetch_access_token': Authorization failed. Server message: (Signet::AuthorizationError) { "error" : "invalid_grant" }

adwords_api.yml

---
# This is an example configuration file for the AdWords API client library.
# Please fill in the required fields, and copy it over to your home directory.
:authentication:
  # Authentication method, methods currently supported: OAUTH2, OAUTH2_JWT.
  :method: OAUTH2_JWT


  # Auth parameters for OAUTH2_JWT method. See:
  #   https://developers.google.com/accounts/docs/OAuth2ServiceAccount
  :oauth2_issuer: 43242...apps.googleusercontent.com 
  :oauth2_secret: 'notasecret'
  # You can provide path to a file with 'oauth2_keyfile' or the key itself with
  # 'oauth2_key' option.
  :oauth2_keyfile: /home/.../google-api-key.p12
  # To impersonate a user set prn to an email address.
  :oauth2_prn: my@email.com

  # Other parameters.
  :developer_token: ua...w
  :client_customer_id: 123-123-1234
  :user_agent: test-agent
:service:
  # Only production environment is available now, see: http://goo.gl/Plu3o
  :environment: PRODUCTION
:connection:
  # Enable to request all responses to be compressed.
  :enable_gzip: false
  # If your proxy connection requires authentication, make sure to include it in
  # the URL, e.g.: http://user:password@proxy_hostname:8080
  # :proxy: INSERT_PROXY_HERE
:library:
  :log_level: INFO

test.rb

#!/usr/bin/env ruby

require 'adwords_api'

def use_oauth2_jwt()
  adwords = AdwordsApi::Api.new

  adwords.authorize()

  campaign_srv = adwords.service(:CampaignService, API_VERSION)

  selector = {
    :fields => ['Id', 'Name', 'Status'],
    :ordering => [
      {:field => 'Name', :sort_order => 'ASCENDING'}
    ]
  }

  response = campaign_srv.get(selector)
  if response and response[:entries]
    campaigns = response[:entries]
    campaigns.each do |campaign|
      puts "Campaign ID %d, name '%s' and status '%s'" %
          [campaign[:id], campaign[:name], campaign[:status]]
    end
  else
    puts 'No campaigns were found.'
  end
end

if __FILE__ == $0
  API_VERSION = :v201409

  begin
    use_oauth2_jwt()

  # HTTP errors.
  rescue AdsCommon::Errors::HttpError => e
    puts "HTTP Error: %s" % e

  # API errors.
  rescue AdwordsApi::Errors::ApiException => e
    puts "Message: %s" % e.message
    puts 'Errors:'
    e.errors.each_with_index do |error, index|
      puts "\tError [%d]:" % (index + 1)
      error.each do |field, value|
        puts "\t\t%s: %s" % [field, value]
      end
    end
  end
end

Answer 1

After several more hours of fiddling, I finally got it working by setting the oauth2_prn to the primary email on the MCC and Google Apps for Business account.

Answer 2

This is going to be difficult to answer definitively as it's authorisation based so the error message is a glorified "not authorised" message.

All I can really do is suggest a few things to check (acknowledging you've probably went through these already):

• Your developer token is definately showing as 'Approved'? (you can check this in the client centre - through the setting cog then account then adwords api centre)
• You have registered an application through Google Developer Console
• You (or the owner of the account you are trying to access) have authorised your application - probably by following this guide and definately seeing one of these things at somepoint:

If you have checked all of these then the only other thing I can suggest is a post to the official forum where they tend to be helpful and often take authorisation issues 'offline' to have a look at the actual soap requests etc. (I have found this much quicker and easier than trying to wade through the levels of AdWords 'support')

Good luck!