Menu
I am using the google-api-php-client client to connect to Google Drive using a Service Account. Most of the time it works, but every so often (say if I sit here an refresh the page over and over it's every 5th to 10th time), I receive a Google_Service_Exception with the message unauthorized_client: Client is unauthorized to retrieve access tokens using this method. The error only occurs if the $this->drive_service->files->listFiles() code is present. It does not occur if I use the Service Account directly rather than using setSubject() to impersonate another user.
$this->client = new Google_Client();
$this->client->useApplicationDefaultCredentials();
$this->client->addScope("https://www.googleapis.com/auth/drive");
$this->client->setSubject('xxxx');
$this->drive_service = new Google_Service_Drive($this->client);
$files = $this->drive_service->files->listFiles();
Any thoughts?
Update Feb 21, 2017: The error is no longer intermittent, it happens every time, so I can no longer connect at all to a regular account through a service account.
Update March 10, 2017: It seems as though this is a user misunderstanding. The service account must be given "domain-wide authority" in order to impersonate users of that domain - something I have not done. I had simply authorized a client to access the users account as described here.
248
"code": 403, "message": "The user does not have sufficient permissions for file {fileId}." To fix this error, instruct the user to contact the file's owner and request edit access. You can also check user access levels in the metadata retrieved by files.
If you get an “Auth check failure on device(s)” error when you try to add a shared Google Assistant-enabled device, you're not a member of the home that the device is linked to in the Google Home app.
They are useful for accessing public data anonymously, and are used to associate API requests with your project for quota and billing. To learn more about authenticating to Google Cloud APIs and to determine the best authentication strategy for common scenarios, see Authentication overview.
If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads. We recommend you use the Cloud Console to manage API keys. Navigate to the APIs & services → Credentials page in the Cloud Console.
API keys have important limitations, such as: A limited number of GCP services allow access using only an API key: Google Cloud Natural Language API. Google Cloud Speech API API keys do not identify the user or the application making the API request, so you can't restrict access to specific users or service accounts.
Navigate to the APIs & Services→Credentials panel in Cloud Console. Select the name of an existing API key. Application restrictions specify which web sites, IP addresses, or apps can use an API key. Add application restrictions based on your application type. You can only set one restriction type per API key.
I don't know why your error happens periodically but my understanding is that to impersonate an user, you must grant the service account access.
170
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
