Service account doesn't have access to own channel videos in Youtube API

Question

I created a service account credential in Google and tried to change the thumbnail of a video I own (it's uploaded in my verified channel). The account is, by the way, a managed account (indeed, it's a company email). The code below apparently logs in using the credentials in the JSON file downloaded from the Google API backend. IMAGE_MIME is image/jpeg, CHUNK_SIZE_BYTES is 1 * 1024 * 1024.

putenv("GOOGLE_APPLICATION_CREDENTIALS=" . CLIENT_ACCOUNT_FILE);

$client = new Google_Client();
$client->useApplicationDefaultCredentials();
$client->setScopes(['https://www.googleapis.com/auth/youtube', 'https://www.googleapis.com/auth/youtube.upload']);
$client->setDefer(true);

$youtube = new Google_Service_YouTube($client);
try {
  $set_request = $youtube->thumbnails->set($video_id);
  $media = new Google_Http_MediaFileUpload(
    $client,
    $set_request,
    IMAGE_MIME,
    null,
    true,
    CHUNK_SIZE_BYTES
  );

  $media->setFileSize(filesize($image_path));

  $status = false;
  $handle = fopen($image_path, "rb");
  while (!$status && !feof($handle)) {
    $chunk = fread($handle, CHUNK_SIZE_BYTES);
    $status = $media->nextChunk($chunk);
  }
  fclose($handle);
} catch (Exception $e) {
  echo "ERROR -> " . $e->getMessage();
}
$client->setDefer(false);

Sadly, it throws an exception. Running getMessage(), it pops out this JSON:

{
 "error": {
  "errors": [
   {
    "domain": "youtube.thumbnail",
    "reason": "forbidden",
    "message": "The thumbnail cant be set for the specified video. The request might not be properly authorized.",
    "locationType": "parameter",
    "location": "videoId"
   }
  ],
  "code": 403,
  "message": "The thumbnail cant be set for the specified video. The request might not be properly authorized."
 }
}

I directly access the video ID, the channel is mine (and there's only one channel), it doesn't throw a login exception (it did until I made it work), and the image file exists. Has anyone had this issue before?

Edit

I decided to log into my personal account and follow the same process of verification, API activation, service account JSON download and script running. The error is absolutely the same, even when everything in there should be working now for a non-domain account, after Jay's answer.

I tried, just because, to use the company credentials with my personal video and try this. Same error. It's like I'm missing something on the whole process. I also checked the value of getenv and it's correct, and not setting it would pop a "Could not load the default credentials.", so in the end it's grabbing the proper credentials, although not giving access to them them somehow.

Answer 1

Service accounts are not members of managed G Suite domains (company accounts) and do not automatically have rights to any data that the service account creator user account has. See the note on Google's domain wide delegation setup:

Note: Although you can use service accounts in applications that run from a G Suite domain, service accounts are not members of your G Suite account and aren’t subject to domain policies set by G Suite administrators. For example, a policy set in the G Suite admin console to restrict the ability of G Suite end users to share documents outside of the domain would not apply to service accounts.

Options for you would be:

1. Actually perform domain wide delegation as described above and act as your G Suite user, not the service account.

2. Share edit access of the Youtube video with the service account email address.