0

In trying to test the Execution API with the Python Google API client, in which we currently just have a single function that outputs a string, we seem to be getting a 403 with the message "The caller does not have permission". We were able to get the library working with creating new scripts as per the quickstart. Other folks have asked similar questions, a la:

Why does my apps script deployed as API executable return Permission Denied?

But a common thread I'm seeing is the script itself should have the console project linked as by Resources > Developer Console Project, but that's now been changed to Resources > Cloud Platform Project, and changing the ID to the one belonging to the console project we have with the OAuth2 creds doesn't work, as it seems to think that project doesn't exist. Prior to stumbling upon that thread, it didn't even seem obvious we needed to hook into the Cloud Platform to execute scripts.run. fwiw we also have the Apps Script API enabled on the console project.

Code included here (half-finished, so there's a for loop that just executes once with the hardcoded script ID):

from googleapiclient import errors
from googleapiclient.discovery import build
from httplib2 import Http
from oauth2client import file, client, tools
from pprint import pprint
from time import sleep

SCOPES = ['https://www.googleapis.com/auth/drive.readonly', 'https://www.googleapis.com/auth/forms']

if __name__ == '__main__':
    store = file.Storage('token-app.json')
    creds = store.get()

    if not creds or creds.invalid:
        flow = client.flow_from_clientsecrets('credentials.json', SCOPES)
        creds = tools.run_flow(flow, store)

    store_cloud = file.Storage('token-cloud.json')
    creds_cloud = store_cloud.get()

    if not creds_cloud or creds_cloud.invalid:
        flow = client.flow_from_clientsecrets('credentials-cloud.json', SCOPES)
        creds_cloud = tools.run_flow(flow, store_cloud)

    service = build('drive', 'v3', http=creds.authorize(Http()))
    apps_service = build('script', 'v1', http=creds_cloud.authorize(Http()))

    results = service.files().list(
        q=("mimeType='application/vnd.google-apps.form'"), pageSize=10, 
            fields="nextPageToken, files(id, name)").execute()
    items = results.get('files', [])

    if not items:
        print('No files found.')
    else:
        print('Files:')
        for item in items:
            # print(item.keys())
            print(u'{0} ({1})'.format(item['name'], item['id']))
            script_id = 'SCRIPT_ID'

            try:
                response = apps_service.scripts().run(scriptId=script_id, 
                    body={'function': 'myFunction'}).execute()
                pprint(response.to_json())
            except errors.HttpError as error:
                pprint(error.content)

Any advice on where to look or what's been changed to what is much appreciated, since this issue seems to have been answered a few years back, so guessing stuff's been shifted a little?

coltonoscopy
  • 321
  • 4
  • 16
  • Can you share your code? – ScottMcC Dec 02 '18 at 04:55
  • Just added, sorry! – coltonoscopy Dec 02 '18 at 06:35
  • `creds doesn't work, as it seems to think that project doesn't exist` Explain more. Exact errors/ screenshots....etc – TheMaster Dec 02 '18 at 10:30
  • https://developers.google.com/apps-script/api/how-tos/execute#step_2_set_up_the_common_cloud_platform_project the 403 is solely due to missing a shared project – tehhowch Dec 02 '18 at 10:33
  • @tehhowch I looked into that section before and noticed that you have to set up new credentials for cloud projects. I tried running two separate flows (source code above updated) where the apps script is authenticated with those credentials and the drive stuff is authenticated with the console creds, but now I get a redirect error that isn't fixable because for some reason the account won't authorize edits to the credentials (even though we own it)? Do we have the right idea here or is there an additional step missing? – coltonoscopy Dec 02 '18 at 21:33
  • When you change credentials or scopes, make sure you don't try to load the old credentials from storage – tehhowch Dec 02 '18 at 22:34
  • @tehhowch we're definitely not loading the old credentials from storage (I delete the token and refresh it whenever I make changes). Does the new approach sound like it should work, or is there some way we're supposed to tie the OAuth2 creds we got for the console project into the Cloud Platform project? The cloud creds expect a redirect URI to be specified, but we don't have permissions to edit our own project for some reason; trying to specify a localhost:8080 URI for example tosses back a permission denied error in the browser? – coltonoscopy Dec 02 '18 at 23:54

0 Answers0