0

I have two google workspace accounts for testing. Account A have a service account and in account B I have added the service account for domain wide delegation with the permissions needed for reading/writing to calendar in account B.

Reading events and calendars works. But when trying to create an event using the service account in the resource calendar in account B I get the following error:

{"error":{"errors":[{"domain":"calendar","reason":"requiredAccessLevel","message":"You need to have writer access to this calendar."}],"code":403,"message":"You need to have writer access to this calendar."}}

Permissions added:

enter image description here

It works if we test within one Google Workspace Account.

This is the code

// clientMail is the service account id
// privateKey is the service account key
// subject is also the service account id

const jwtClient = new google.auth.JWT(
    clientMail,
    undefined,
    privateKey,
    [
      'https://www.googleapis.com/auth/calendar',
    ],
    subject,
  );

  let calendar = google.calendar({
    version: 'v3',
    auth: jwtClient,
  });
...

savedEvent = (await calendar.events.insert({ calendarId, requestBody: event })).data;
...
Robert
  • 2,357
  • 4
  • 25
  • 46

1 Answers1

2

You appear to have forgotten to specify which user you want the service account to delegate to.

from google.oauth2 import service_account

SCOPES = ['https://www.googleapis.com/auth/calendar']
SERVICE_ACCOUNT_FILE = '/path/to/service.json'

credentials = service_account.Credentials.from_service_account_file(
        SERVICE_ACCOUNT_FILE, scopes=SCOPES)

delegated_credentials = credentials.with_subject('user@example.org')
Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449