AuthenticationError.NOT_ADS_USER

[9mm]

I've followed the directions best I could and when I run the following test command I get this error:

Fault message: [AuthenticationError.NOT_ADS_USER @ ; trigger:'<null>']

Here is how I'm authenticating (JSON key parsed via OpenSSL::PKey::RSA):

json = JSON.parse(Rails.application.secrets.adwords[:oauth2_key])
key = OpenSSL::PKey::RSA.new(json['private_key'])

@client = AdwordsApi::Api.new({
  authentication: {
    method:             'OAUTH2_SERVICE_ACCOUNT',
    user_agent:         'AdManager/1.0.0',
    oauth2_key:         key,
    oauth2_issuer:      Rails.application.secrets.adwords[:oauth2_issuer],
    developer_token:    Rails.application.secrets.adwords[:developer_token],
    client_customer_id: customer_id
  },
  service: {
    environment: 'PRODUCTION'
  },
  connection: {
    enable_gzip: false
  },
  library: {
    log_level: 'INFO'
  }
})

@client.service(:CampaignService, :v201708).get({:fields => ['Id', 'Name', 'Status']}

Here are the steps I did in order:

1. Log into my MCC AdWords account
2. Visit Google Developer Console
3. Create a new Project
4. Create a Service Account key. Make sure the domain checkbox is checked. I use the email address it generates above in oauth2_issuer
5. Download the JSON key
6. Get an MCC account (I actually had one I use for live campaigns, so I skipped this step)
7. Generate an AdWords API key from within MCC (i used it above in developer_token).
8. Create a new test manager account.
9. Inside the new test manager account, create a new test client account, and take that customer ID and place it above in `client_customer_id.

I'm not sure where I went wrong, from what I can tell I followed the steps exactly.

Thanks

[9mm]

Damn I've seriously looked through 100 threads related to this and finally found one that was helpful. The step I was missing was adding the client_id from the JSON key to the 'authorized client' list in admin.google.com, and also the oauth2_prn user to impersonate.

Now I have a new error though... AuthorizationError.USER_PERMISSION_DENIED. Am I supposed to use the global MCC account rather than my test MCC? (My dev token isnt approved yet). If I use my master MCC email for oauth2_prn I get the above error, but if I use my test MCC I made I get this error: Client is unauthorized to retrieve access tokens using this method.

Here is how I have it set up again:

• Production Google developer console (domain-enabled service account used for oauth2_key, oauth2_issuer)
• Production GSuite account (enable production service account access to https://www.googleapis.com/auth/adwords)
• Production MCC account (API key used for developer_token)
• Test MCC account (email for oauth2_prn)
• Test client account (customer id for client_customer_id)

They key takeaway is all this was under the production account. The only test stuff I created was MCC/client account (I didnt create a test google developer console service or API access or anything like that)

[mcloonan]

It's very strongly recommended that you use the installed app flow rather than service accounts to access the AdWords API. Please take a look at our Authentication docs which include instructions for both. Especially check out the section explaining why to prefer installed flow over service accounts.

That said, this issue doesn't look specific to the ruby library, which is what issues here are for. You'll get better support for these authentication issues on our official forum.

[9mm]

Ok thanks