14

I'd like to use a service account to access a Google Sheet via the Apps Script Execution API, but it's not clear from the documentation whether this is supported.

The steps I've tried (which result in a 403 status from the Execution API) are:

  1. Create a new (unbound) Apps Script
  2. Visit the linked Developer Console project
  3. Enable the Execution API
  4. Create a new service account within the same project (downloading the generated JSON file)
  5. Create a new Google Sheet and share it with the service account's email address (this is the step I'm least sure about)
  6. Write an apps script function that reads from the spreadsheet
  7. Run the script manually from the Script Editor (to set the scopes on the script correctly)
  8. Publish the script ("Deploy as API executable"), making it accessible to 'anyone'
  9. Mint a new OAuth2 token using the service account and the scopes linked to the script (in our case just 'https://www.googleapis.com/auth/spreadsheets')
  10. Attempt to make a call to the Execution API using the token

This is the response I got:

{
  "error": {
    "code": 403,
    "message": "The caller does not have permission",
    "status": "PERMISSION_DENIED"
  }
}

Does this not work because Service Accounts are never able to access the Execution API? Or is there something wrong with the steps above?

ziganotschka
  • 25,866
  • 2
  • 16
  • 33
Stephen L
  • 181
  • 1
  • 4
  • you might me missing the google script execution api scope on your token – Zig Mandel Oct 23 '15 at 19:01
  • Thanks - I tried to find such a scope, but I couldn't. The only ones in the list of [OAuth 2.0 Scopes for Google APIs](https://developers.google.com/identity/protocols/googlescopes#scriptv1) are for accessing services through the Execution API, rather than for the Execution API itself. I also spotted that the docs say "In the application code, generate an OAuth access token for the API call. This is not a token the API itself uses, but rather one the script requires." - I read that (possibly wrongly) to mean that the assertion of identity is to the services the script consumes. – Stephen L Oct 26 '15 at 08:58
  • Did the answer fix your problem? _Can_ you use the execution API with the service account? – Party Ark Nov 09 '15 at 18:10
  • Having same issue here. Same id for project and the script. API execution enabled. User has access to the script, but still having issue. – Maksim Luzik Feb 10 '16 at 13:19
  • @StephenL Did you ever found a solution for this problem? I'm currently having the same problem. – Busata Feb 23 '17 at 15:33

3 Answers3

14

Your original 403 error indicates that you have incorrectly set up authentication for your service account. However, even if you get that working, as of now (10 Nov 2015) you cannot execute Apps Scripts via the Service Account.

It's a known bug, and is being tracked in the Apps Scripts Issue Tracker.

Party Ark
  • 1,061
  • 9
  • 20
  • 1
    Unfortunately this is the correct answer. It took me about 3 days of senseless trials to find this answer here. Thanks @Party Ark for finally getting me onto the right track. – Jpsy Feb 12 '16 at 15:23
  • @Jpsy Curious if you ever managed to get to the 400 error that the tracked issue describes? I'm also facing this problem, but continue to get a 403 and I'm reasonably sure I have the authentication correct. – Daniel Mar 24 '16 at 18:33
5

Currently(2020), Service accounts cannot work with Apps script API. As written in the documentation,

Warning: The Apps Script API does not work with service accounts.

TheMaster
  • 45,448
  • 6
  • 62
  • 85
  • 2
    The original author is asking about whether or not a Google Apps Script deployed as an Execution API is accessible when calling it via a Google Service Account. The Apps Script API is completely different and separate from a custom Apps Script deployed as an Execution API. – ariestav Dec 23 '20 at 02:18
  • @ariestav OP linked [Execution API] in his question, which is a, direct link to Apps script api page linked in my answer. – TheMaster Dec 23 '20 at 04:49
  • I see, yes you are right. Apps Script API is linked rather than the docs on the Execution API. – ariestav Dec 28 '20 at 18:21
  • I don't think they're two different apis – TheMaster Mar 03 '22 at 09:20
2

Your problem is probably that the script is associated with the wrong project (i.e. its own project, instead of the project associated with your Service Account). Here is what you need to do:

From the Scripts editor select the following menu item: Resources > Developer Console Project.

On this screen enter the project number for your dev console.

cf this answer

Community
  • 1
  • 1
BarthesSimpson
  • 926
  • 8
  • 21
  • Thanks. I'm afraid that's not it, though - the developer console project I'm using is the one automatically created with the Apps Script, and the service account is associated with that same project. – Stephen L Oct 31 '15 at 10:35
  • In that case, I would recommend creating a new project from the developer console, enabling the relevant APIs (probably just Google Apps Script Execution API and Google Drive API), generating a new Service Account under that project, and transferring your script (or a copy of it) to that project. – BarthesSimpson Oct 31 '15 at 15:08
  • Also, are you using the API ID provided in the "Deploy as API executable" dialog to call the script? You have to use that rather than the ID of the sheet itself. – BarthesSimpson Oct 31 '15 at 15:09