2

I've read a few comments in some reports on the use of the sub parameter which (this is how i understand it), when passed with the credentials object to google analytics for 2LO with service accounts, can be used to act as a substitute for directly authorizing an account manually through the admin console which I've pictured below.

enter image description here

Analytics Google API Error 403: "User does not have any Google Analytics Account"

Am I wrong in my understanding in thinking that if i passed 'sub': 'superuseremail@account.com' it would take the place of manually setting account permissions in GA?

More importantly, I was granted access to a Google Analytics account via account permissions (such that I don't have super-user authority, or access to the super user email), and I passed this sub parameter using that email. I received the 403 error attempting this route.

Put briefly:

The only way to get access with the service account I'm gleaning is either to have access to the super-user email and managing account permissions by manually adding the service account email or to pass the sub parameter with the credentials object having a sub email that is the correct super-user email?

Community
  • 1
  • 1
mburke05
  • 1,371
  • 2
  • 25
  • 38

1 Answers1

1

TLDR: No!, Google Analytics is not a G-Suite product, and a service account does not have the authority to access another's G-Suite account without direct authorization.

If you take a close look at the source code for the method in question:

def create_delegated(self, sub):
    """Create credentials that act as domain-wide delegation of authority.
    Use the ``sub`` parameter as the subject to delegate on behalf of
    that user.
    For example::
      >>> account_sub = 'foo@email.com'
      >>> delegate_creds = creds.create_delegated(account_sub)
    Args:
        sub: string, An email address that this service account will
             act on behalf of (via domain-wide delegation).
    Returns:
        ServiceAccountCredentials, a copy of the current service account
        updated to act on behalf of ``sub``.
    """
    new_kwargs = dict(self._kwargs)
    ...

You will see that this service account will act on behalf of the user via domain-wide delegation.

Then the answer to your question is "what is Domain wide delegation?".

In enterprise applications you may want to programmatically access a user's data without any manual authorization on their part. In G-Suite domains, the domain administrator can grant third-party applications with domain-wide access to its users' data — this is referred as domain-wide delegation of authority.

Riccardo
  • 1,104
  • 13
  • 22
Matt
  • 5,028
  • 2
  • 28
  • 55