Can the Google Apps Script Execution API be called by a service account?

Question

I'd like to use a service account to access a Google Sheet via the Apps Script Execution API, but it's not clear from the documentation whether this is supported.

The steps I've tried (which result in a 403 status from the Execution API) are:

1. Create a new (unbound) Apps Script
2. Visit the linked Developer Console project
3. Enable the Execution API
4. Create a new service account within the same project (downloading the generated JSON file)
5. Create a new Google Sheet and share it with the service account's email address (this is the step I'm least sure about)
6. Write an apps script function that reads from the spreadsheet
7. Run the script manually from the Script Editor (to set the scopes on the script correctly)
8. Publish the script ("Deploy as API executable"), making it accessible to 'anyone'
9. Mint a new OAuth2 token using the service account and the scopes linked to the script (in our case just 'https://www.googleapis.com/auth/spreadsheets')
10. Attempt to make a call to the Execution API using the token

This is the response I got:

{
  "error": {
    "code": 403,
    "message": "The caller does not have permission",
    "status": "PERMISSION_DENIED"
  }
}

Does this not work because Service Accounts are never able to access the Execution API? Or is there something wrong with the steps above?

Answer 1

Your original 403 error indicates that you have incorrectly set up authentication for your service account. However, even if you get that working, as of now (10 Nov 2015) you cannot execute Apps Scripts via the Service Account.

It's a known bug, and is being tracked in the Apps Scripts Issue Tracker.