googleapis / google-api-nodejs-client

Google's officially supported Node.js client library for accessing Google APIs. Support for authorization and authentication with OAuth 2.0, API Keys and JWT (Service Tokens) is included.
https://googleapis.dev/nodejs/googleapis/latest/
Apache License 2.0
11.42k stars 1.92k forks source link

service account with owner rights has insufficient permissions #1382

Closed ghost closed 3 years ago

ghost commented 6 years ago

Hello,

I finally managed to make a successful api call with this npm package; publisher.inappproducts.list({ ... returns the expected result and everything is great. But when I go for:

publisher.purchases.subscriptions.get({ 
  packageName: packageName, 
  subscriptionId: subscriptionId, 
  token: token
}) ...

It always returns the same error: The current user has insufficient permissions to perform the requested operation. Assuming that:

What could possibly be missing? Is a refresh_token needed with service accounts? Could there be discrepancy between the permissions shown in the UI and the actual permissions granted to the service account? Does the service account need to "accept" the invitation to be a "owner"? Is there a way to list the service account's permissions through the API?

Here is the code I use for authentication:

const {google} = require('googleapis');

async function main () {
    // This method looks for the GCLOUD_PROJECT and GOOGLE_APPLICATION_CREDENTIALS
    // environment variables.
    const auth = await google.auth.getClient({
        // Scopes can be specified either as an array or as a single, space-delimited string.
        scopes: ['https://www.googleapis.com/auth/androidpublisher']
    });

    // obtain the current project Id
    const project = await google.auth.getProjectId();

    const publisher = google.androidpublisher({
        auth: auth,
        version: 'v3',
        project: project
    });
...

Environment details

Thanks for making it down here.

lfreneda commented 5 years ago

@fel-dev any updates?

ghost commented 5 years ago

Hey @lfreneda ,

It finally worked, I don't remember what I changed exactly but saw this comment in my code:

// Didn't work, waited a few days, worked. Permissions probably need time to propagate.
publisher.purchases.subscriptions.get({
                packageName: packageName,
                ...

So maybe try waving a dead chicken over your code and come back a few days later, it worked for me!

luboganchev commented 5 years ago

@fel-dev I couldn't find any documentation that says "few days are required in order to propagate correctly the permissions". I also wrote an email to Google support asking a bunch of questions including this one but still no response from them. I did the same as you described in the issue - giving administrator permissions to my service account from both Developer console and the Google play console. Seems to be blocking issue with high priority since we are not able to validate in-app purchase within server side. Any updates what actually happens here?

ghost commented 5 years ago

@luboganchev Yeah, I also couldn't find any documentation about permissions needing time to propagate, maybe that's not the issue at all. But I remember quite clearly leaving the code aside for some more urgent task, then coming back to it a few days later and it all worked on first try before I changed anything. As unhelpful as that might be, it's really all I've got for you.

Again, I reserve myself the right to be wrong...

luboganchev commented 5 years ago

Thanks for your help of course but how we can escalate this problem and some tech guy from Google to take a look at this blocking issue?

luboganchev commented 5 years ago

Just to inform what's happening with my case. From the time when I setup full privileges to my service account to actual propagating the permissions from Google, it takes 24 hours. So if someone gives admin access to his/her own service account it should wait at least one day in order to verify In-App purchase from the server side. It will be great if Google representative document this behavior in order to be more transparent for further users.

victorbadila commented 5 years ago

any delay if this lagging happens for permission upgrades to other services as well? I am trying to setup domain wide delegation for connecting a service account with gsuite and ever though I followed every steps on every guide out there - Google wasn't very helpful in this regard - I still get unauthorized calls citing lack of permissions.

luboganchev commented 5 years ago

any delay if this lagging happens for permission upgrades to other services as well? I am trying to setup domain wide delegation for connecting a service account with gsuite and ever though I followed every steps on every guide out there - Google wasn't very helpful in this regard - I still get unauthorized calls citing lack of permissions.

Probably for each Google service is implemented the same permissions propagating functionality with some Message Queue or Background Job running on some interval of time.

purificant commented 5 years ago

I had the same problem: The current user has insufficient permissions to perform the requested operation.

It was resolved after waiting for 24-48 hours without touching the code. The same code / access key that was denied access previously suddenly started working. I am not exactly sure how long the wait has to be, in my experience it is closer to the 48h mark.

P.S. My sample code in Python:

import httplib2

from googleapiclient.discovery import build
from oauth2client.service_account import ServiceAccountCredentials

credentials = ServiceAccountCredentials.from_json_keyfile_name('api.json', scopes='https://www.googleapis.com/auth/androidpublisher')

http = httplib2.Http()
http = credentials.authorize(http)

service = build("androidpublisher", "v3", http=http)
purchases = service.purchases()
subscriptions = purchases.subscriptions()
get = subscriptions.get(
    packageName='foo',
    subscriptionId='bar',
    token='baz'
)
result = get.execute()
print(result)
rogiervandenberg commented 5 years ago

I have found out that the issue is indeed not on the client side. I have a piece of code that works, but only once out of 4 times. Yesterday not at all. Perhaps tomorrow every time?

Right now, frequently I get the The current user has insufficient permissions to perform the requested operation. message, and every once in a while I get the proper receipt validation. It seems that my service account is not fully propagated yet over all API handling servers somehow..

Update one day later: I can verify, it now totally works as it should. So first, it did not work, then after a day or so every once in a while and now fully. So you need indeed 48h before your service account is fully working.

wildfisher commented 5 years ago

I have the same problem. Created an account and gave permissions around an hour ago. Will wait and report back after some time.

wildfisher commented 5 years ago

Around 26 hours and the error disappeared. I have not made any changes to the code.

bcoe commented 5 years ago

This does seem like either a bug, or at least behavior that needs to be better documented; labeling as such 👍

thejask commented 5 years ago

I am also experiencing same issue here. I am able to read publisher.inappproducts.list({successfully. But i am getting "The current user has insufficient permissions to perform the requested operation." for publisher.purchases.subscriptions.get({ packageName: packageName, ...

I waited for 24 hrs. I still see the same error. Any suggestions, in addition to wait for another 24 hours. Thanks.

bcoe commented 5 years ago

I have discussed this issue with the external product team. It's a known issue that it can take up to 24 hours for account changes to be reflected in the Subscriptions API, i.e., folks haven't been imagining this.

I'm working with Googlers currently to either document this limitation, or address the bug :+1:


@thejask 18 days is not the expected behavior. I wonder if there's a chance you didn't give permissive enough permissions to your service account, following @luboganchev's advice, something along the lines of:

ngrie commented 5 years ago

FYI: Seems like I just had to wait about 4 days (!) in order to get rid of the "insufficient permissions" message after setting up a service account & linking it in the Google Play console. Had already given up any hope.

Dhineshss commented 4 years ago

Is 'Financial data' permission enough for getting subscription data? (or) Need to give full permission to the service account? Please help.

jpsison-io commented 4 years ago

Hi @Dhineshss and to everyone,

One thing that helps me was to add another subscription product on play store developer console. After that, I was able to fetch the API using the service account I created linked and granted to the console.

I hope this can help, or if not, you may try other suggestions.

raresloth commented 4 years ago

I ran into this error as well today. I set up a fresh Service Account user and granted it all permissions and I get auth errors when calling publisher.purchases.subscriptions.get. However, I noticed I have access to at least one other route (publisher.inappproducts.list), so it's weird that only some of the permissions are propagating slower than others. I just wish there was some feedback so I know that waiting isn't just going to be wasting time.

Edit: The auth errors went away. It took about 48 hours for my permissions to propagate.

hiroshihorie commented 4 years ago

Why is this so slow ? EDIT: After I created a new Managed Product, it immediately started to work. Triggered something probably.

willspense commented 4 years ago

Is there any update on this? Setting service accounts up with owner permission does not propagate within a day. Would expect this to be instant.

cc: @bcoe

iForests commented 4 years ago

After I did some updates to my subscription products (try edit description of your product and save), I instantly get permission.

cromatikap commented 4 years ago

Hi, I have waited 24 hours and it still not working. I also edited my product and I still have 'The current user has insufficient permissions to perform the requested operation.'

Do I have to follow this documentation https://developers.google.com/android-publisher/authorization ? I have now an access_token and a refresh_token and what am I supposed to do with googleapis ?

davidhowe commented 4 years ago

Experiencing the same with the https://www.googleapis.com/androidpublisher/v3/../edits api after creating service account with project owner role... Will wait and see if this is resolved within 48 hours.

kolagit commented 4 years ago

After I did some updates to my subscription products (try edit description of your product and save), I instantly get permission.

This truly WORKED !!! Instantly and magically ! Just make a little change in subscription product name or description and save it. The error will be gone. No need to wait for 24 hours or any minute.

Gameonn commented 4 years ago

I am still facing the same problem even after updating the in-app products.

{ "error": { "code": 401, "message": "The current user has insufficient permissions to perform the requested operation.", "errors": [ { "message": "The current user has insufficient permissions to perform the requested operation.", "domain": "androidpublisher", "reason": "permissionDenied" } ] } }.

I tried modifying the in-app product description like adding a whitespace and dot in the end. And also waited for 48 hours but still nothing worked.

@kolagit Can you help me fix this?

Thanks

shichen85 commented 3 years ago

I am also encountering the 401 error with the same message, though I am using the edits.commit endpoint. The strange thing is that I only encounter this error for a specific package, and the error only started appearing after 11/4. All uploads for the said package were successful previously, and all other package uploads are still successful currently.

Gameonn commented 3 years ago

I got this issue fixed by making changes to the service account. Please follow these steps to configure and link your service account.

shichen85 commented 3 years ago

I got this issue fixed by making changes to the service account. Please follow these steps to configure and link your service account.

Thanks for the recommendation. My previous service account was still working for all my other packages and I didn't want to invalidate it, so I just changed the account permissions in the hope that it will fix it. Sadly no.

Then I created a new service account and granted the permissions, created json keys, waited for 48 hours.

So now in my Google Play Console API Access settings, I have 2 service accounts. My old service account is still working for all other packages but not working for one particular package, and my new service account doesn't work for any of the packages and gets theThe caller does not have permission error when I call the edits.commit endpoint.

brianbhsu commented 3 years ago

After I did some updates to my subscription products (try edit description of your product and save), I instantly get permission.

For people that come here looking for an answer, this actually works.

Also is there a way that any of the Google devs can update the documentation to mention this lag in permission propagation of variable time frame (seems like ~24h+) and the temporary solution to this issue so that future developers don't have to bash their heads debugging this.

Iscalej commented 3 years ago

Same issue whit lag! :clown_face:

maxanstey commented 3 years ago

In my case I had simply forgotten to link the Service Account with my Merchant Account. The documentation here is very clear and helpful, and the effect was immediate: https://developers.google.com/pay/passes/guides/basic-setup/get-access-to-rest-api

awsdataarchitect commented 3 years ago

Hello, one question while comparing with Apple Receipt validation service. The apple service endpoint validates any receipt, does google allow validation of the payload from another users' app or its only for your own apps ?

zalito12 commented 2 years ago

After I did some updates to my subscription products (try edit description of your product and save), I instantly get permission.

After more than 60 hours it still didn't work for me, I tryed this and it started working at the moment 😮

capthy commented 1 year ago

We get resolved instantly by adding a new product. Change & save existed products don't work for us.

anthalasath commented 1 year ago

Still happens for me.

I enabled Google Forms API for my service account, tried updating the project name and adding a new project, to no avail.

I did not wait hours yet, but I would like to have a reliable solution to make it work immediately, this is quite inconvenient to use the API.

aershov24 commented 11 months ago

Hi @Dhineshss and to everyone,

One thing that helps me was to add another subscription product on play store developer console. After that, I was able to fetch the API using the service account I created linked and granted to the console.

I hope this can help, or if not, you may try other suggestions.

Confirming, that helped

fablau commented 8 months ago

Yes, as today 2/26/2024 I could use the trick of just updating the description of our of my in-app purchases items. It's absurd to rely on these workaround, and having "zzzzzzzzz" from Google. Their documentation sucks. Spent 8 hours to solve this issue.

dharmeshgigs commented 7 months ago

Just to inform what's happening with my case. From the time when I setup full privileges to my service account to actual propagating the permissions from Google, it takes 24 hours. So if someone gives admin access to his/her own service account it should wait at least one day in order to verify In-App purchase from the server side. It will be great if Google representative document this behavior in order to be more transparent for further users.

Waiting for 24*2 hours. Not working for me. Any other possiblities? you would like to share.