14

I created a script in the script editor, published it as a "Deploy as API executable". Inside this script, I provided a doc_id to my sheet and defined a function to get data from that sheet.

I then went to https://developers.google.com/apps-script/execution/rest/v1/scripts/run to test the execution API. I added the scopes, authorized the app and tried it. I am getting the following error message:

"error": {
  "code": 403,
  "message": "The caller does not have permission",
  "status": "PERMISSION_DENIED"
}

Can someone tell me what I am doing wrong?

ziganotschka
  • 25,866
  • 2
  • 16
  • 33
Bellave Jayaram
  • 366
  • 1
  • 2
  • 11
  • What Apis are you using within your script? Does the authenticating user have permission to use these? – JSDBroughton Oct 03 '15 at 17:42
  • I'm just using the Spreadsheet API in my script and I have enabled the Drive API and the Google Apps Script Execution API for my project in the Google Developer Console. I have also verified using the OAuth 2 Playground (https://developers.google.com/oauthplayground/?code=4/OYAJ-RTbiS-eTDuUHiUwD2hH-alniFyB2RnHtFn3sVk) that I (the authenticating user) do have read access to that spreadsheet. – Bellave Jayaram Oct 04 '15 at 00:51
  • same here... any feedback ? – jujule Oct 04 '15 at 01:25
  • Additional info I discovered is that when I go to my account and list the apps connected, I can see the app but it is not in the list of apps returned by going to Services > Drive API v2 > drive.apps.list (https://developers.google.com/apis-explorer/?hl=en_US#p/drive/v2/drive.apps.list). Shouldn't it be? – Bellave Jayaram Oct 04 '15 at 01:35
  • 1
    In your account have you tried removing the app and reauthenticating. It's also important that all scopes listed in your Script project under File > project properties and included in your frontend application – mhawksey Oct 04 '15 at 07:12
  • ^that is key. if you didnt ask for the right scope, the passed token wont have permission (only authentication) – Zig Mandel Oct 05 '15 at 03:52

6 Answers6

27

Make sure the app script is associated with correct dev console project.

The script should be associated with the dev console project id that corresponds with OAuth 2.0 client ID used (this dev console project should also have "Apps Script Execution API" enabled).

To change the developer console project for an app script select the following menu item: Resources > Developer Console Project...

On this screen enter the project number for your dev console.

Farhad Khairzad
  • 294
  • 3
  • 4
  • I figured out that I was mixing up things because I was using the same spreadsheet to build a web app as well as an app that uses the execution API and I had done things without careful attention. For the web app, the script details are in the Script Editor associated with the spreadsheet but for the other one, they are in the project as pointed out by Farhad. By carefully checking everything that I had done, I got my problem resolved. – Bellave Jayaram Oct 09 '15 at 19:48
  • I don't get, do I have to use Compute Engine to use Execution API or I can call the Apps Scripts functions remotely? What's the difference between this and the deploying Project as a Web App if I don't need to secure the access to the "run" link? – Nakilon Oct 17 '15 at 15:31
  • @Nakilon You must supply a valid OAuth token to use the API, and this requires a Developer Console Project. – Farhad Khairzad Oct 19 '15 at 20:40
  • Ah, perfect! Thank you, Farhad! I had gotten this process working for a client, but I didn't realize his spreadsheet was associated with a different project. I would never have thought to look, so thanks for saving me days! – Kenny Wyland Feb 15 '16 at 23:04
  • 1
    you get the project number in the menu (3 dots) under "project information" – CrandellWS Mar 30 '16 at 03:05
11

Even with everything okay, you can get that error by "devMode":true. Thanks to this, I wasted half a day when I tried to deploy for other users.

Just for the future reference.

goodhyun
  • 4,814
  • 3
  • 33
  • 25
  • I think this happens because you're not running as the owner of the script. https://developers.google.com/apps-script/execution/rest/v1/scripts/run#request-body describes what devMode is: "If true and the user is an owner of the script, the script runs at the most recently saved version rather than the version deployed for use with the Execution API. Optional; default is false," but it doesn't tell you that you might get the permission denied error. – clearf Oct 25 '16 at 22:31
3

You just have to add the service account user as an editor on the project

The email from the service account to add looks something like this {project-name}@{project-name}.iam.gserviceaccount.com

chemdrew
  • 131
  • 7
3

I did a mix of all of your suggestions, plus I needed to use the non 'obsolete' ID of the Project. When I publish the script, it gives me an ID, which I was using succesfully as long as owner runs the routine, and only within Google Chrome (If I try it on Edge it fails). When I publish and try it with a different user it stop working. I open the script, go to file / Project properties and copy the longer Script ID instead. The routine start working for any user then. In the following image I underscore in red the key that Works for developer alone, and in Green the key that Works for all users (they're cutted in purpouse, and my environment is in spanish so actual translated options may vary, sorry)

Project properties keys

I believe it is worth to make a summary:

  1. I follow intructions at 'Using the execution API' and quickstarts to publish my script as execution API. (Create the script, enable Google Apps Script Execution API, publish as API executable with Access by everybody)enter image description here
  2. I made the script visible fro everybody, on File / Sharing: API sharing settings
  3. I made sure that devMode was not set true on my call. Here the JavaScript call snipet: JavaScript call snippet
  4. I made sure that all of the scopes in the Project were included during the OAuth request: API scopes API OAuth call
  5. I have to wait a few minutes to get all security rights to get ready (i.e. OAuth credentials)

Basically, these are all the required steps I needed to follow in order to get the script up and running. Hope it helps. Finally I would like you to see what I saw when it failed and when it succeeded:API call fail API call success

Thank you!

Chesare
  • 333
  • 4
  • 8
2

I've also faced with the error and everything were associated accordantly... After some time of investigation I found out that sheet should be shared by link. This is a limitation of googleapis v4.

D.Dimitrioglo
  • 3,413
  • 2
  • 21
  • 41
1

I had the same problem of permissions and I solved it by changing the status of my google sheet to public. Now I can read data using GET method

victor
  • 21
  • 1