1

So I have setup my service account with domain wide delegation as described in this post Perform G Suite Domain-Wide Delegation of Authorit. In G Suite Admin Console I have authorized the service account to use the OAuth 2.0 scope:

https://www.googleapis.com/auth/calendar.

Every time I try to create an event I end up with this error 

GoogleJsonResponseException: 403 Forbidden
{
"code" : 403,
"errors" : [ {
"domain" : "calendar",
"message" : "Service accounts cannot invite attendees without Domain-Wide Delegation of Authority.",
"reason" : "forbiddenForServiceAccounts"
} ],
"message" : "Service accounts cannot invite attendees without Domain-Wide Delegation of Authority."
}

new GoogleCredential.Builder()
      .setTransport(HTTP_TRANSPORT)
      .setJsonFactory(JSON_FACTORY)
      .setServiceAccountId(json.get("client_id").getAsString)
      .setServiceAccountPrivateKeyId(json.get("private_key_id").getAsString)
      .setServiceAccountPrivateKey(getPrivateKeyFromPkcs8(jsonCreds.get("private_key").getAsString))
      .setServiceAccountScopes(SCOPES)
      .build()

This building the google credential. No impersonation is used, and the calendar is shared with the service account.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
JDelgado
  • 41
  • 1
  • 6
  • I think you need to go back and make sure that you have set up delegation properly it seams to not have worked. Please edit your question and include your code i would like to see how you have the process setup. Make sure you have added a user to impersonate. – Linda Lawton - DaImTo Apr 28 '20 at 06:11
  • @DalmTo So, the way the integration is setup is that it does not impersonate a user, but instead the calendar is shared with the service account, and the service account has the ability to create and delete events. I can confirm that impersonating a user does indeed create the event with no issues. I inherited this integration from a previous dev, so for the most part I am trying to recreate how we have the integration set up. – JDelgado Apr 28 '20 at 07:22
  • Here is my solution step by step: https://stackoverflow.com/a/63715242/5212039 – Anathorn Sep 03 '20 at 00:44

2 Answers2

3

Service accounts are their own user. They have their own Google calendar account.

If you want to give a service account access to another calendar there are two ways of doing that.

  1. you could share the calendar with the Service account this will give it access to the calendar like any other user. When creating events they will be created by the service account.

  2. If you have a gsuite account as you do then you can use domain wide delegation which will allow the service account to impersonate another user then when the service account creates events the event will be created by that user.

I hope this helps to clear things up for you a bit.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
  • I am doing the step 1 approach. The issue comes when I am trying to invite attendees when this error pops up. – JDelgado Apr 28 '20 at 15:35
3

Contacted G Suite support and any service accounts made after March 2, 2020 will no longer be able to invite guests to events without using impersonation.

JDelgado
  • 41
  • 1
  • 6