Client is unauthorized to retrieve access tokens using this method Gmail API

Question

As many other people wrote, I encounter the issue as well, I got it while trying to set new email signature via the API

The exact API call is:

sendAsConfiguration = {
        'signature': 'Test email signature'
    }
result = gmailService.users().settings().sendAs().patch(userId='[email protected]',
            sendAsEmail="[email protected]",
            body=sendAsConfiguration).execute()

The exact response is:

google.auth.exceptions.RefreshError: ('unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.', '{\n  "error": "unauthorized_client",\n  "error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."\n}')

My scenario is as follow:

1. I'm working with Python from GCP Cloud Functions
2. I manage doing requests to the G Suite directory admin, from the same code base and settings
3. I made a service account with wild delegation. And I added the right scope both in code and in the G Suite account.
4. When trying to work with the gmail API it doesn't work.
5. I have created a new project, and deployed the exact same code (with settings of a new service account of course) and all worked well.
6. I repeated all the steps for creating the service account on the original project, it still didn't work.

I need it to work from the production project, and not the test one.

I have read the following questions and answers (and many other variants of them) and nothing worked answer 1, answer 2

Regarding answer 2, I'm not sure I understood this one, so if this the real solution, it would be great getting specific steps.

I'm not adding the code itself, since it is working for sure (was tested on an different project, and worked). Please see below the settings of the service account

G Suite settings At the beginning I had both scopes under the same service account, I got the same result. In the last test I tried each service account having only one scope. Same result

Service account settings

Would be great getting help with that,

UPDATE 1

I have no OAuth credentials, please see the image below

UPDATE 2

I have compared between the project who worked and the one that didn't. The only difference I noticed is, that in the working project there were no API keys. Since people wrote regarding the OAuth, I thought I might give it a chance. But since this is a production environment I don't want to remove them, especially since it was auto generated by Google, and I have no idea where they are being used. I think they aren't used anywhere, but I'm not sure.

I tried adding to the working account an API key, and it still worked, which gave me more motivation leaving the production settings untouched.

UPDATE 3

I have removed the API keys, it didn't help.

Thanks

Answer 1

I made a service account with wild delegation. And I added the right scope both in code and in the G Suite account.

"Delegating domain-wide authority to the service account" MUST be enabled before you add service account and its scopes on "Manage API client access" page in G Suite Admin. Otherwise it will fail with "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested." error and require removing the API client and adding it again.

Answer 2

I found this to be a Roles issue for the service account.

1. In your Developers Console -> Project -> IAM ensure that your service account is listed there.
   • if it isn't, click Add and start typing the name to add it
2. For Role, select Access Approval -> Access Approval Approver

This allowed me to query any domain user's calendar event list.