Google Calendar API Service Account Error

Question

Im getting this error

{ "error": 
     { "errors": 
         [
            { "domain": "calendar", "reason": "forbiddenForServiceAccounts", "message": "Service accounts cannot invite attendees without Domain-Wide Delegation of Authority." } 
         ], 
         "code": 403,
         "message": "Service accounts cannot invite attendees without Domain-Wide Delegation of Authority."
      } 
}

Already followed this https://developers.google.com/admin-sdk/directory/v1/guides/delegation

im using this library and im running it on laravel 5.7: https://github.com/spatie/laravel-google-calendar

What could be the fix for this. Please help.

Answer 1

Here are the steps to follow to make this work:

Enable Domain-Wide Delegation in your service account

1 - Provide calendar scopes to your service account

• Go to https://admin.google.com/ and login with G Suite account.
• Go to Security -> API Controls -> Domain-wide Delegation
• Add new => Set the client ID of your service account (The one that's only numbers)
• Set the following scopes: https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/calendar.events,https://www.googleapis.com/auth/admin.directory.resource.calendar

2 - Your user needs to have the role Service Account Token Creator

• Go to https://console.cloud.google.com/iam-admin then
• Select your project and go to IAM in the left menu.
• Select the account that you will use to impersonate
• Click on edit
• Add role Service Account Token Creator
• Enable domain delegation for the account according to https://developers.google.com/admin-sdk/directory/v1/guides/delegation, section To enable G Suite domain-wide delegation, follow these steps.

3 - Create a Calendar in the account that you will impersonate

Service accounts don't have calendars so you have to create your own calendar

• Login in https://calendar.google.com/ with the email that you want to own the calendar (I used a different account, not the same that I was going to impersonate, maybe it works using a calendar in the impersonated account)
• Create a calendar
• Share the calendar with the service account with permissions to modify and manage the calendar
• Share the calendar with the account you will impersonate with permissions to modify and manage the calendar

Create google client

• Authenticate your service account. (I used the JSON Key, I am not sure if other authentication works for this purpose)

Code sample: (I used PHP but I assume that other languages are very similar so you can use this as guideline)

Note that using some email for IMPERSONALIZATION is crucial. Otherwise, the 403 error will remain, use it for authentication, see the Maksym Kalin response for details.

$google_client = new Google_Client();
$google_client->setAuthConfig($LOCATION_OF_JSON_KEY);
$google_client->setAccessType( 'offline' );
$google_client->setSubject('[email protected]');
$google_client->setApplicationName("YourApplicationName");
$google_client->setScopes([\Google_Service_Calendar::CALENDAR, \Google_Service_Calendar::CALENDAR_EVENTS]);

Create Event with people invited :) and Enjoy!

Note: With this approach you can create events and invite people to it. Keep in mind the limits of the G Suite https://support.google.com/a/answer/2905486 so if you want to create many events you will need to have a pool of service accounts with a pool of calendars.

Answer 2

Just for information

In my case, on Node.js, i followed intructions from @Anathorn, but i kept getting

Service accounts cannot invite attendees without Domain-Wide Delegation of Authority

then i add on my auth line the email what should i supplant, and it worked.

const auth = new google.auth.JWT(
    CREDENTIALS.client_email,`
    null,
    CREDENTIALS.private_key,
    SCOPES,
    "[email protected]",
    "12345678987654321"
);

Answer 3

The purpose of granting domain-wide authority to a Service Account is for these accounts to be able to access data on behalf of users in the domain.

If you grant it domain-wide authority but are not "impersonating" any account, the Service Account is acting as if you hadn't granted this authority: it is trying to access its own Calendars.

When the Service Account impersonates another user in the domain (that is, when it acts on behalf of the user), the Service Account can access the resources this user can access.

To impersonate another user, you have to specify the user's email address. In my case, I use Node.JS library and my impersonation code looks like this:

const auth = new google.auth.JWT(
  config.client_email,
  null,
  config.private_key,
  ["https://www.googleapis.com/auth/calendar.events"],
  "!!! user email to impersonate !!!!",
);

What is more, in case you need to fill attendees[] array, you have to authorize the service account to send emails. Because you get unauthorized error.

To do it you need to add https://www.googleapis.com/auth/gmail.send scope on your G Suite domain’s Admin console.

You can find more here: https://issuetracker.google.com/issues/14170493