5

As many other people wrote, I encounter the issue as well, I got it while trying to set new email signature via the API

The exact API call is:

sendAsConfiguration = {
        'signature': 'Test email signature'
    }
result = gmailService.users().settings().sendAs().patch(userId='xxx@domain.com',
            sendAsEmail="xxx@domain.com",
            body=sendAsConfiguration).execute()

The exact response is:

google.auth.exceptions.RefreshError: ('unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.', '{\n  "error": "unauthorized_client",\n  "error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."\n}')

My scenario is as follow:

  1. I'm working with Python from GCP Cloud Functions
  2. I manage doing requests to the G Suite directory admin, from the same code base and settings
  3. I made a service account with wild delegation. And I added the right scope both in code and in the G Suite account.
  4. When trying to work with the gmail API it doesn't work.
  5. I have created a new project, and deployed the exact same code (with settings of a new service account of course) and all worked well.
  6. I repeated all the steps for creating the service account on the original project, it still didn't work.

I need it to work from the production project, and not the test one.

I have read the following questions and answers (and many other variants of them) and nothing worked answer 1, answer 2

Regarding answer 2, I'm not sure I understood this one, so if this the real solution, it would be great getting specific steps.

I'm not adding the code itself, since it is working for sure (was tested on an different project, and worked). Please see below the settings of the service account

G Suite settings G Suite settings At the beginning I had both scopes under the same service account, I got the same result. In the last test I tried each service account having only one scope. Same result

Service account settings enter image description here

Would be great getting help with that,

UPDATE 1

I have no OAuth credentials, please see the image below Credentials

UPDATE 2

I have compared between the project who worked and the one that didn't. The only difference I noticed is, that in the working project there were no API keys. Since people wrote regarding the OAuth, I thought I might give it a chance. But since this is a production environment I don't want to remove them, especially since it was auto generated by Google, and I have no idea where they are being used. I think they aren't used anywhere, but I'm not sure.

I tried adding to the working account an API key, and it still worked, which gave me more motivation leaving the production settings untouched.

UPDATE 3

I have removed the API keys, it didn't help.

Thanks

nheimann1
  • 2,348
  • 2
  • 21
  • 33
  • From the [answer 2](https://github.com/googleapis/google-api-python-client/issues/611#issuecomment-454683701), it was stated that the resolution would be likely to remove credentials not belonging to any service account, which leads to [this github post](https://github.com/googleapis/google-auth-library-ruby/issues/123), "I resolved my issue by removing all others types of credentials for the app in question (**no oauth, just service account**)". – MαπμQμαπkγVπ.0 Mar 25 '19 at 07:00
  • Thanks @MαπμQμαπkγVπ.0. I'm still puzzled, as far as I know I have no OAuth keys. Please see my attached screenshot. Did I miss anything? – nheimann1 Mar 25 '19 at 12:20
  • This worked for me: https://stackoverflow.com/questions/56636523/instantiate-an-admin-sdk-directory-service-object-with-nodejs/71675636#71675636 – olawalejuwonm Apr 02 '22 at 16:23

2 Answers2

5

I made a service account with wild delegation. And I added the right scope both in code and in the G Suite account.

"Delegating domain-wide authority to the service account" MUST be enabled before you add service account and its scopes on "Manage API client access" page in G Suite Admin. Otherwise it will fail with "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested." error and require removing the API client and adding it again.

Aldekein
  • 3,538
  • 2
  • 29
  • 33
  • 1
    that helped me. it looks like the service account was created before delegation was enabled. So what I did was delete the service account and create a new one. Also make sure scopes in the request are authroized in domain-wide delegation for this service account. – Rofls May 26 '21 at 00:45
1

I found this to be a Roles issue for the service account.

  1. In your Developers Console -> Project -> IAM ensure that your service account is listed there.
    • if it isn't, click Add and start typing the name to add it
  2. For Role, select Access Approval -> Access Approval Approver

This allowed me to query any domain user's calendar event list.

sean.hudson
  • 515
  • 1
  • 5
  • 20
  • Thank you, but it doesn't solve my issue. As the question says. It does work for me with the same project for some of the API but not for all. I still didn't solve this issue – nheimann1 Apr 23 '19 at 14:02