google-api-nodejs-client: service account with owner rights has insufficient permissions
Hello,
I finally managed to make a successful api call with this npm package;
publisher.inappproducts.list({ ... returns the expected result and everything is great.
But when I go for:
publisher.purchases.subscriptions.get({
packageName: packageName,
subscriptionId: subscriptionId,
token: token
}) ...
It always returns the same error: The current user has insufficient permissions to perform the requested operation. Assuming that:
- The current user is a service account with the highest possible permissions granted in both the developer console and the google play console. (including “view financial data”)
- The project in the google developer console is linked to the app in the google play console.
- The
packageName,subscriptionIdandtokenparameters sent are valid.
What could possibly be missing? Is a refresh_token needed with service accounts? Could there be discrepancy between the permissions shown in the UI and the actual permissions granted to the service account? Does the service account need to “accept” the invitation to be a “owner”? Is there a way to list the service account’s permissions through the API?
Here is the code I use for authentication:
const {google} = require('googleapis');
async function main () {
// This method looks for the GCLOUD_PROJECT and GOOGLE_APPLICATION_CREDENTIALS
// environment variables.
const auth = await google.auth.getClient({
// Scopes can be specified either as an array or as a single, space-delimited string.
scopes: ['https://www.googleapis.com/auth/androidpublisher']
});
// obtain the current project Id
const project = await google.auth.getProjectId();
const publisher = google.androidpublisher({
auth: auth,
version: 'v3',
project: project
});
...
Environment details
- OS: OSX 10.14 (Mojave)
- Node.js version: 8.11.4
- npm version: 5.6.0
googleapisversion: 34.0.0
Thanks for making it down here.
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 13
- Comments: 39 (2 by maintainers)
Links to this issue
Commits related to this issue
- chore: Enable Size-Label bot in all googleapis NodeJs repositories (#1382) * chore: Enable Size-Label bot in all googleapis NodeJs repositories Auto-label T-shirt size indicator should be assigned o... — committed to googleapis/google-api-nodejs-client by gcf-owl-bot[bot] 2 years ago
- chore: Enable Size-Label bot in all googleapis NodeJs repositories (#1382) (#2934) * chore: Enable Size-Label bot in all googleapis NodeJs repositories Auto-label T-shirt size indicator should be as... — committed to googleapis/google-api-nodejs-client by gcf-owl-bot[bot] 2 years ago
Just to inform what’s happening with my case. From the time when I setup full privileges to my service account to actual propagating the permissions from Google, it takes 24 hours. So if someone gives admin access to his/her own service account it should wait at least one day in order to verify In-App purchase from the server side. It will be great if Google representative document this behavior in order to be more transparent for further users.
After I did some updates to my subscription products (try edit description of your product and save), I instantly get permission.
This does seem like either a bug, or at least behavior that needs to be better documented; labeling as such 👍
Hey @lfreneda ,
It finally worked, I don’t remember what I changed exactly but saw this comment in my code:
So maybe try waving a dead chicken over your code and come back a few days later, it worked for me!
Why is this so slow ? EDIT: After I created a new Managed Product, it immediately started to work. Triggered something probably.
FYI: Seems like I just had to wait about 4 days (!) in order to get rid of the “insufficient permissions” message after setting up a service account & linking it in the Google Play console. Had already given up any hope.
I have discussed this issue with the external product team. It’s a known issue that it can take up to 24 hours for account changes to be reflected in the Subscriptions API, i.e., folks haven’t been imagining this.
I’m working with Googlers currently to either document this limitation, or address the bug 👍
@thejask 18 days is not the expected behavior. I wonder if there’s a chance you didn’t give permissive enough permissions to your service account, following @luboganchev’s advice, something along the lines of:
I have found out that the issue is indeed not on the client side. I have a piece of code that works, but only once out of 4 times. Yesterday not at all. Perhaps tomorrow every time?
Right now, frequently I get the
The current user has insufficient permissions to perform the requested operation.message, and every once in a while I get the proper receipt validation. It seems that my service account is not fully propagated yet over all API handling servers somehow…Update one day later: I can verify, it now totally works as it should. So first, it did not work, then after a day or so every once in a while and now fully. So you need indeed 48h before your service account is fully working.
This truly WORKED !!! Instantly and magically ! Just make a little change in subscription product name or description and save it. The error will be gone. No need to wait for 24 hours or any minute.
Hi @Dhineshss and to everyone,
One thing that helps me was to add another subscription product on play store developer console. After that, I was able to fetch the API using the service account I created linked and granted to the console.
I hope this can help, or if not, you may try other suggestions.
Around 26 hours and the error disappeared. I have not made any changes to the code.
We get resolved instantly by adding a new product. Change & save existed products don’t work for us.
I ran into this error as well today. I set up a fresh Service Account user and granted it all permissions and I get auth errors when calling
publisher.purchases.subscriptions.get. However, I noticed I have access to at least one other route (publisher.inappproducts.list), so it’s weird that only some of the permissions are propagating slower than others. I just wish there was some feedback so I know that waiting isn’t just going to be wasting time.Edit: The auth errors went away. It took about 48 hours for my permissions to propagate.
Is ‘Financial data’ permission enough for getting subscription data? (or) Need to give full permission to the service account? Please help.
I have the same problem. Created an account and gave permissions around an hour ago. Will wait and report back after some time.
@fel-dev I couldn’t find any documentation that says “few days are required in order to propagate correctly the permissions”. I also wrote an email to Google support asking a bunch of questions including this one but still no response from them. I did the same as you described in the issue - giving administrator permissions to my service account from both Developer console and the Google play console. Seems to be blocking issue with high priority since we are not able to validate in-app purchase within server side. Any updates what actually happens here?
After more than 60 hours it still didn’t work for me, I tryed this and it started working at the moment 😮
Experiencing the same with the https://www.googleapis.com/androidpublisher/v3/../edits api after creating service account with project owner role… Will wait and see if this is resolved within 48 hours.