Service account not auth'ing as expected

[aefruswg]

The issue tracker is for reporting product deficiencies. How do I questions should be posted to the discussion forum at https://groups.google.com/group/got-your-back. When in doubt, start at the discussion forum and return here only when instructed to do so.

Please confirm the following:

• I have upgraded to the latest GYB release from https://github.com/jay0lee/got-your-back/releases and I still have this issue. Yes, this is a fresh install
• I am typing the command as described in the GAM Wiki at https://github.com/jay0lee/got-your-back/wiki Yes, although the Wiki has steps that seem to be automatically done during setup, such as creating the oauth2service json file

Full steps to reproduce the issue:

1. Added the necessary scopes and waited. It's still an issue after about 30 minutes
2. Hit 'y' during setup for admin use and entered a user's email address
3. Received the error below. The same occurs when running check-service-account outside of setup

Expected outcome (what are you trying to do?): Use a service account

Actual outcome (what errors or bad behavior do you see instead?):

Checking service account DwD for user@domain.com...
Please run

gyb --action create-project
gyb --action check-service-account

to create and configure a service account.
ERROR: None

gyb --action create-project --email user@domain.com     
File C:\GYB\oauth2service.json already exists. Please delete or rename it before attempting to create another project.

[jay0lee]

If check-service-account is passing then you should be all set. create-project is failing because you already have a project and GYB doesn't want to overwrite it.

What happens when you actually try to use the service account to backup/restore?

Please show the FULL output of your GYB commands.

[aefruswg]

But that output doesn't confirm or deny that the service account is working. The wording is confusing because I'm telling it to check a service account and the output is telling me to create one rather than confirming one is already configured. There's no affirmation; it's basically saying "task failed successfully". I understand that create-project is throwing an error because there's already an existing one, hence my confusion as to why check-service-account is seemingly going in circles

I initially didn't try using a service account given this ambiguity and was able to do a backup/restore by logging into both the account being backed up and the one receiving the restore. I just tried and here's the output.

gyb --email user@domain.com --action backup --local-folder C:\EmailBackups\Test\ --service-account
Traceback (most recent call last):
  File "gyb.py", line 2817, in <module>
  File "gyb.py", line 2045, in main
  File "gyb.py", line 697, in buildGAPIServiceObject
  File "gyb.py", line 1360, in getSvcAcctCredentials
  File "google\oauth2\service_account.py", line 445, in refresh
  File "google\oauth2\_client.py", line 308, in jwt_grant
  File "google\oauth2\_client.py", line 279, in _token_endpoint_request
  File "google\oauth2\_client.py", line 72, in _handle_error_response
google.auth.exceptions.RefreshError: ('unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.', {'error': 'unauthorized_client', 'error_description': 'Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.'})
[10008] Failed to execute script 'gyb' due to unhandled exception!

The scopes were added and approved 2 days ago when I first opened this issue.

The client ID and secret in the automatically generated client_secrets.json match the information from Google Admin