12

I use google-api-php-client library to access webmaster tools data. When I wanted to list sitemaps, it appeared Fatal error: Uncaught exception 'Google_Service_Exception'(403) User does not have sufficient permission for site. See also: https://support.google.com/webmasters/answer/2451999.' I add the service account email address as a restrict user for my site, but error still exists.

Finally I find the answer: A service account is not like a regular Google account. You cannot use it to access specific resources even if you give that specific address "access" to it. See here for the different ways you can authorize your requests to the Webmaster API.

Janmay
  • 121
  • 1
  • 6

3 Answers3

17

For me the problem was not the actual permission, but the way the domain name is passed.

You should prefix your domain with sc-domain:: sc-domain:yourdomain.com. Passing just 'yourdomain.com' without the sc-domain: prefix will result in the error User does not have sufficient permission for site yourdomain.com.

Here is my Node.js example, but the same goes for PHP:

import {JWT} from 'google-auth-library';

const client = new JWT(
    null,
    'service-account.json',
    null,
    ['https://www.googleapis.com/auth/webmasters.readonly'],
);
const res = await client.request({
    url: 'https://www.googleapis.com/webmasters/v3/sites/sc-domain:yourdomain.com/searchAnalytics/query',
    method: 'POST',
    data: {
        "startDate": "2020-04-01",
        "endDate": "2020-05-01",
        "dimensions": ["country", "device"]
    }
});

console.log(res.data);
MartijnvdB
  • 922
  • 9
  • 23
  • 2
    Freaking unbelievable. I had the exact same issue and this solves it. However, for other domains it works with 'http://' plus the domain and not 'sc-domain:'. It seems that if the Google Search Console property is old-style, with the http[s]://[www] prefix, you need to use the url, while if it is a "domain" property (the kid where the protocols and subdomains are all unified and that you verify ownership via DNS), then you need to use this solution. **How did you find this and where is it documented?** – matteo Dec 18 '20 at 22:29
  • 1
    @matteo Not sure, I think I saw some sample code somewhere which used this notation. Pretty sure it was NOT the docs... – MartijnvdB Dec 21 '20 at 08:59
  • @matteo i found the documentation about that, https://developers.google.com/webmaster-tools/search-console-api-original/v3/searchanalytics/query#parameters – emaniacs Oct 06 '21 at 09:54
  • Great catch. They do not list it in their [Python docs](https://googleapis.github.io/google-api-python-client/docs/dyn/searchconsole_v1.searchanalytics.html#query) – klenium Aug 03 '22 at 09:28
  • 1
    sc-domain? Seriously? Argghhh!! – Jura Gorohovsky Mar 28 '23 at 15:45
  • Martijn I love you. Been banging my head off this wall for 1 day and didn't see that in docs. Thank you – Mrk Fldig Jun 14 '23 at 14:57
3

A service account is not like a regular Google account. You cannot use it to access specific resources even if you give that specific address "access" to it.

You need to manage the service permissions via Webmaster Admin. Add your service account

whatever@developer.gserviceaccount.com

there.

Decebal
  • 1,376
  • 1
  • 21
  • 36
  • Thanks. I don't know how I've missed this but that did the trick. I initially thought it would be enough to "just" have permissions with the principal user that the service account is associated with but evidently that wasn't enough. So thanks again for this tip! – sebieire Dec 09 '21 at 00:02
1

The solution suggested by @MartijnvdB won't work. But finally, I got one that works for me:

URL should be composed as follows: sc-domain:domain.com

SirJ
  • 173
  • 2
  • 17