1

I have a custom dashboard in Ruby on Rails project with data collected from Google Analytics. I user Google Analytics Reporting V4 API and a Service Account to authenticate.

My code works well if I don't impersonate user authorization.sub = 'xxx@mail.com' and If I do it, I get unauthorized_client error but not all the times. Sometimes it works, and sometimes not.

This is my code:

scope = [Google::Apis::AnalyticsreportingV4::AUTH_ANALYTICS_READONLY]

view_id = 'xxxxxx'

ENV['GOOGLE_APPLICATION_CREDENTIALS'] = "#{Rails.root}/private/google_analytics_key.json"
authorization = Google::Auth::get_application_default(scope)
authorization.sub = 'xxx@mail.com'

analytics = Google::Apis::AnalyticsreportingV4::AnalyticsReportingService.new
analytics.authorization = authorization

...

request = Google::Apis::AnalyticsreportingV4::GetReportsRequest.new(report_requests: report_requests)

@result = analytics.batch_get_reports(request)

Rails server log output:

Sending HTTP post https://analyticsreporting.googleapis.com/v4/reports:batchGet?
Caught error Authorization failed.  Server message:
{
 "error": "unauthorized_client",
 "error_description": "Client is unauthorized to retrieve access tokens using this method."
}
Error - #<Signet::AuthorizationError: Authorization failed.  Server message:
{
 "error": "unauthorized_client",
 "error_description": "Client is unauthorized to retrieve access tokens using this method."
}>

Completed 500 Internal Server Error in 149ms (ActiveRecord: 0.4ms)



Signet::AuthorizationError (Authorization failed.  Server message:
{
 "error": "unauthorized_client",
 "error_description": "Client is unauthorized to retrieve access tokens using this method."
}):
Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
Adrià Carro
  • 697
  • 1
  • 10
  • 22
  • authorization.sub is not supported for the Google Analytics API access as Analytics is not a GSuite (Apps for work) application . – Matt Feb 06 '17 at 21:47
  • Same problem here: http://stackoverflow.com/questions/41903578/google-api-service-account-authorization-error – MarcGuay Feb 21 '17 at 16:44

1 Answers1

2

Remember that a service account is a dummy user. For a service account to be able to access your google analytics account it needs to be preauthorized. You authorize the service account just like you would any other user. You will need to add the service account as a user via the Google Analytics website you need to do this at the ACCOUNT level it must be the ACCOUNT level.

I am not sure I understand what you are doing as far as impersonation is going. I am not a ruby dev but your code doesn't look like the sample I found here.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
  • The problem is that I can't give read permissions to Google Analytics view for service account user. I'm not the administrator... My question is why it appears only sometimes and how can I solve the error? Maybe some configuration in Google Developers Console? Thank you! – Adrià Carro Feb 06 '17 at 12:41
  • Service accounts must be preauthorized via the google analytics website there is no work around for that. If you are not the owner of the account why are you using a service account you should be using Oauth2 and requesting access of the owner. – Linda Lawton - DaImTo Feb 06 '17 at 12:42
  • this might help https://developers.google.com/api-client-library/ruby/guide/aaa_oauth store the refresh token to be able to access the users data at anytime. – Linda Lawton - DaImTo Feb 06 '17 at 12:46
  • If I do OAuth2 authentication, I need read access in google analytics view for each user who requires access and this not gonna happen. It's difficult to explain but I need to do Service Account authentication. I'm not the administrator but I have all other permissions. – Adrià Carro Feb 06 '17 at 12:56
  • If you use Oauth2 you need to have a refresh token for each user who will be using your application. The refresh token will give you access to ALL of the google analytics accounts said user has access to you do not need one for each google analytics view. Unless you can contact each user and have them grant your service account access to their google analytics account you cant use service accounts. You must use oauth2 – Linda Lawton - DaImTo Feb 06 '17 at 12:59
  • My tutorial about service accounts and how they work http://www.daimto.com/google-developer-console-service-account/ my tutorial about Oauth2 and how it works http://www.daimto.com/google-developer-console-oauth2/. I know its confusing in the beginning. – Linda Lawton - DaImTo Feb 06 '17 at 13:00