Reputation: 83
Encountered 403 Forbidden : Service Account calling Google APIs using AWS Lambda
Since this is an integration app calling a service, I decided to use Service Account because its used for server-to-server interactions. I'm using the Lambda integration to call the Google Service Account to get the Google Campaign Manager 360 API campaign data and download the data into S3 bucket for SA's BI Reports. However, after configuring the service and redacting my lambda code , I get this 403 error and not quite sure why. Here are the steps.
- I Set up Service Account giving my self owner privileges and the account has user privileges.
- Copied the service account Json file to be used by Python and Google API. I'm not sure what to do at this point and what could be wrong. Thanks much for your help.
Here is my code for the lambda python integration where execution fails at line 20 (I would expect an issue with OAuth2.0 credentials but not with Service Account. I'm new to all of this) :
import json
import os
from google.oauth2 import service_account
from googleapiclient.discovery import build
import googleapiclient.discovery
SCOPES = ['https://www.googleapis.com/auth/dfareporting', 'https://www.googleapis.com/auth/ddmconversions']
delegate = os.environ['DELEGATE_EMAIL']
profile_id = os.environ['PROFILEID']
def lambda_handler(event, context):
SERVICE_ACCOUNT_FILE = 'service.json'
print(SERVICE_ACCOUNT_FILE)
# Implement Credentials objects from the service account and scopes
credentials = service_account.Credentials.from_service_account_file(SERVICE_ACCOUNT_FILE, scopes=SCOPES)
print('<< CREDENTIAL >> ', credentials)
#delegated_credentials = credentials.with_subject(delegate)
gcm360_client = build('dfareporting', 'v4', credentials=credentials)
request =gcm360_client.campaigns().list(profileId=profile_id)
print('<< REQUEST >> ',request)
response = request.execute()
#print('<< RESPONSE >> ',response)
return {
'statusCode': 200,
'body': json.dumps('Hello from Lambda!')
}
Here is the error message in Lambda:
Upvotes: 1
Views: 633
Answers (1)
Reputation: 83
After unsuccessfully trying to use the Service Account method, I had to use a mostly non-Google Rest-based alternative that incorporates some Google.
I was able to pull data using a get request and load that data into an S3 bucket using the google API urls for Campaign Manager 360.
Now, I need to generate tokens for my Service Account.
@JohnHanley has a solution for this at:
How do I create an Access Token from Service Account Credentials using REST API?
It seems to use info from the Google Page here:
https://developers.google.com/identity/protocols/oauth2/service-account#jwt-auth
Upvotes: 1
Related Questions
- Failing to retrieve google drive labels using google service account
- Service Account authentication credentials for Google Drive not working
- OAuth2.0 token strange behaviour (Invalid Credentials 401)
- GCP: Allow Service Account to Impersonate a User Account with Google Analytics Scopes
- Google Directory API: Unable to access User/Group endpoints using Service Account (403)
- How to authorise a service account to access the Google Admin API
- Google TaskQueue JSON API - Can not oauth - 403 Forbidden