Im getting this error
{ "error":
{ "errors":
[
{ "domain": "calendar", "reason": "forbiddenForServiceAccounts", "message": "Service accounts cannot invite attendees without Domain-Wide Delegation of Authority." }
],
"code": 403,
"message": "Service accounts cannot invite attendees without Domain-Wide Delegation of Authority."
}
}
Already followed this https://developers.google.com/admin-sdk/directory/v1/guides/delegation
im using this library and im running it on laravel 5.7: https://github.com/spatie/laravel-google-calendar
What could be the fix for this. Please help.
Here are the steps to follow to make this work:
Enable Domain-Wide Delegation in your service account
1 - Provide calendar scopes to your service account
2 - Your user needs to have the role Service Account Token Creator
3 - Create a Calendar in the account that you will impersonate
Service accounts don't have calendars so you have to create your own calendar
Create google client
Code sample: (I used PHP but I assume that other languages are very similar so you can use this as guideline)
Note that using some email for IMPERSONALIZATION is crucial. Otherwise, the 403 error will remain, use it for authentication, see the Maksym Kalin response for details.
$google_client = new Google_Client();
$google_client->setAuthConfig($LOCATION_OF_JSON_KEY);
$google_client->setAccessType( 'offline' );
$google_client->setSubject('[email protected]');
$google_client->setApplicationName("YourApplicationName");
$google_client->setScopes([\Google_Service_Calendar::CALENDAR, \Google_Service_Calendar::CALENDAR_EVENTS]);
Create Event with people invited :) and Enjoy!
Note: With this approach you can create events and invite people to it. Keep in mind the limits of the G Suite https://support.google.com/a/answer/2905486 so if you want to create many events you will need to have a pool of service accounts with a pool of calendars.
Just for information
In my case, on Node.js, i followed intructions from @Anathorn, but i kept getting
Service accounts cannot invite attendees without Domain-Wide Delegation of Authority
then i add on my auth line the email what should i supplant, and it worked.
const auth = new google.auth.JWT(
CREDENTIALS.client_email,`
null,
CREDENTIALS.private_key,
SCOPES,
"[email protected]",
"12345678987654321"
);
The purpose of granting domain-wide authority to a Service Account is for these accounts to be able to access data on behalf of users in the domain.
If you grant it domain-wide authority but are not "impersonating" any account, the Service Account is acting as if you hadn't granted this authority: it is trying to access its own Calendars.
When the Service Account impersonates another user in the domain (that is, when it acts on behalf of the user), the Service Account can access the resources this user can access.
To impersonate another user, you have to specify the user's email address. In my case, I use Node.JS library and my impersonation code looks like this:
const auth = new google.auth.JWT(
config.client_email,
null,
config.private_key,
["https://www.googleapis.com/auth/calendar.events"],
"!!! user email to impersonate !!!!",
);
What is more, in case you need to fill attendees[] array, you have to authorize the service account to send emails. Because you get unauthorized error.
To do it you need to add https://www.googleapis.com/auth/gmail.send scope on your G Suite domain’s Admin console.
You can find more here: https://issuetracker.google.com/issues/14170493
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With