Reputation: 1290
GCP: 403 The caller does not have permission
EDIT: I eventually granted edit access to the service account from the sheet's share settings. That let me insert into the sheet. I don't think that is the best solution for my situation, but is an a solution.
Any help I would be grateful for. I don't think this is a complicated problem, it's just that I have never used GCP before and am still learning.
I'm trying to write to a Google Sheet using their .NET apis. I want to submit user's feedback to this sheet from within a game I am developing. I'd prefer the process occur without the user undergoing any Google authorization process of their own.
I'm running into this error:
GoogleApiException: Google.Apis.Requests.RequestError
The caller does not have permission [403]
Errors [
Message[The caller does not have permission] Location[ - ] Reason[forbidden] Domain[global]
]
Here's what I've tried so far.
- Successfully followed Google's guide for reading from a sheet.
- Create Service Account with Log Writing permissions.
- Download and use the service account's credentials via
GoogleCredential.
I have a feeling I just selected the incorrect role, though I'm not sure. I'll keep researching. Again, any help i'd be grateful for.
Upvotes: 2
Views: 9628
Answers (1)
Reputation: 40366
You may be better placed using the full OAuth (3-legged-auth) flow for a human user rather than a service account.
See the example here. This uses a human user account and requires the user to approve the code's permission to access their Google Sheets data: https://developers.google.com/sheets/api/quickstart/dotnet
It's confusing but, while IAM is the modern authorization mechanism used for e.g. Google Cloud Platform services, other Google services don't use IAM but instead use OAuth scopes to define the client's access to API methods.
So, yes, IAM Log Writing is wrong as you're probably referring to the role required for clients to write to Stackdriver Logging.
See Google Sheets' (OAuth) scopes here: https://developers.google.com/sheets/api/guides/authorizing
And be aware that the sample code's:
static string[] Scopes = { SheetsService.Scope.SpreadsheetsReadonly };
Corresponds to https://www.googleapis.com/auth/spreadsheets.readonly
So, you'll need to use: https://www.googleapis.com/auth/spreadsheets and this corresponds to:
static string[] Scopes = { SheetsService.Scope.Spreadsheets };
See Scope
HTH
Upvotes: 2
Related Questions
- Error 403 on Google Sheets API
- Request had insufficient authentication scopes. [403] c#
- Using .Net to access Google Sheets with a service account generates a "The caller does not have permission [403]" error
- Google Sheets API. The request is missing a valid API key. [403]
- Google Sheet asking for authorization gets 401: deleted_client
- Google Sheet API error The caller does not have permission
- Google API (Sheets) API Error code 403. Insufficient Permission: Request had insufficient authentication scopes
- Google Drive Api Error 403 cannotAddParent with service account
- Google Sheets Api Request had insufficient authentication scopes
- C# Google.Apis.Requests.RequestError The caller does not have permission