Reputation: 2279
Google Application Default Credentials - "Insufficient Permission" in development & "Bad Request" in production
I'm using Google Application Default Credentials to fetch the list of Labels using Gmail API.
While running the application locally using gcloud preview app run command, I'm getting HttpError: <HttpError 403 when requesting https://www.googleapis.com/gmail/v1/users/user%40domain.com/labels?alt=json returned "Insufficient Permission">
Then I deployed the application and tried to access. But I got HttpError: <HttpError 400 when requesting https://www.googleapis.com/gmail/v1/users/user%40domain.com/labels?alt=json returned "Bad Request">
I have correct configuration in gcloud config list:
account = [email protected] (Appengine Application Owener & Domain Admin)
disable_usage_reporting = False
project = <appengine_project_id>
gcloud version details:
Google Cloud SDK 0.9.76
app 2015.08.27
app-engine-python 1.9.25
bq 2.0.18
bq-nix 2.0.18
core 2015.08.27
core-nix 2015.06.02
gcloud 2015.08.27
gsutil 4.14
gsutil-nix 4.12
preview 2015.08.27
Also I have added the service account's Client ID & Gmail Scope: https://www.googleapis.com/auth/gmail.readonly in Google Apps admin CPanel and Gmail API enabled in Appengine Console.
Here is the Code:
from googleapiclient.discovery import build
from oauth2client.client import GoogleCredentials
class Connection:
def __init__(cls):
cls.credentials = GoogleCredentials.get_application_default()
def fetch_labels(cls):
service = build('gmail', 'v1', credentials=cls.credentials)
logging.info(service)
results = service.users().labels().list(userId='[email protected]').execute()
labels = results.get('labels', [])
if not labels:
logging.info('No labels found.')
else:
logging.info('Labels:')
for label in labels:
logging.info(label['name'])
pass
class Handler(webapp2.RequestHandler):
def get(self):
con = Connection()
con.fetch_labels()
Upvotes: 0
Views: 1570
Answers (1)
Reputation: 1341
I am not 100% certain on this, but I do not think that Application Default Credentials supports domain-wide delegation of authority. You will still need to use Service Account Credentials with the sub argument:
credentials = SignedJwtAssertionCredentials(
service_account_email, service_account_key,
scope='...', sub=user_email)
Upvotes: 1
Related Questions
- Set GOOGLE_APPLICATION_CREDENTIALS in Python project to use Google API
- Google Application Credentials Python (Jupyter Notebook)
- google service account credentials not working
- "Insufficient Permission: Request had insufficient authentication scopes" even with most gerneral scope
- Application Default Credentials not available - localhost project
- What diagnostic steps should I take to fix this authorization?
- 403 error from Google Admin SDK with AppAssertionCredentials
- Application Default Credentials do not exist
- AppAssertionCredentials fail with 401
- Google API return invalid_grant in production but not in local