如何使用服务帐户 ID 访问我的帐户电子邮件？

Question

I created a project in google cloud platform and created a OAuth service account id for my gmail account. With this service account id I'm unable to read emails as it says I don't have access to this scope GmailReadonly.

I went through google to find that I need scope access from Gsuite admin but if the access is given, it says it can be used to retrieve all the organization users emails. Is this information correct? If yes, is there any other way to access just my account's emails?

Below is the c# code which I used to access emails. Please let me know if there is any way to achieve it.

 #region saggezza account id read
        ServiceAccountCredential serviceAccountCredential = new ServiceAccountCredential(
          new ServiceAccountCredential.Initializer("xxx@projectname.iam.gserviceaccount.com")
          {
              User = "xxx@organization.com",
              Scopes = new[] { GmailService.Scope.GmailReadonly }
          }.FromPrivateKey("-----BEGIN PRIVATE KEY-----xxxxxxxxxxxxxxxxx-----END PRIVATE KEY-----\n"));

        if (serviceAccountCredential != null)
        {
            var service3 = new GmailService(new BaseClientService.Initializer
            {
                HttpClientInitializer = serviceAccountCredential,
                ApplicationName = ApplicationName
            });

            var list = service3.Users.Messages.List("me").Execute();
            var count = "Message Count is: " + list.Messages.Count();                
        }

Answer 1

You need to create a service account on Google developer console , enable the Gmail api. Then you need to properly set up domain wide delication with your gsuite account before its going to work. delegate settings

ServiceAccount.cs

 public static class ServiceAccountExample
    {

        /// <summary>
        /// Authenticating to Google using a Service account
        /// Documentation: https://developers.google.com/accounts/docs/OAuth2#serviceaccount
        /// </summary>
        /// <param name="serviceAccountEmail">From Google Developer console https://console.developers.google.com</param>
        /// <param name="serviceAccountCredentialFilePath">Location of the .p12 or Json Service account key file downloaded from Google Developer console https://console.developers.google.com</param>
        /// <returns>AnalyticsService used to make requests against the Analytics API</returns>
        public static GmailService AuthenticateServiceAccount(string serviceAccountEmail, string serviceAccountCredentialFilePath, string[] scopes, string email)
        {
            try
            {
                if (string.IsNullOrEmpty(serviceAccountCredentialFilePath))
                    throw new Exception("Path to the service account credentials file is required.");
                if (!File.Exists(serviceAccountCredentialFilePath))
                    throw new Exception("The service account credentials file does not exist at: " + serviceAccountCredentialFilePath);
                if (string.IsNullOrEmpty(serviceAccountEmail))
                    throw new Exception("ServiceAccountEmail is required.");                

                // For Json file
                if (Path.GetExtension(serviceAccountCredentialFilePath).ToLower() == ".json")
                {
                    GoogleCredential credential;
                    using (var stream = new FileStream(serviceAccountCredentialFilePath, FileMode.Open, FileAccess.Read))
                    {
                        credential = GoogleCredential.FromStream(stream)
                             .CreateScoped(scopes);
                    }

                    // Create the  Analytics service.
                    return new GmailService(new BaseClientService.Initializer()
                    {
                        HttpClientInitializer = credential,
                        ApplicationName = "Gmail Service account Authentication Sample",
                    });
                }
                else if (Path.GetExtension(serviceAccountCredentialFilePath).ToLower() == ".p12")
                {   // If its a P12 file

                    var certificate = new X509Certificate2(serviceAccountCredentialFilePath, "notasecret", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable);
                    var credential = new ServiceAccountCredential(new ServiceAccountCredential.Initializer(serviceAccountEmail)
                    {
                        user = email,
                        Scopes = scopes
                    }.FromCertificate(certificate));

                    // Create the  Gmail service.
                    return new GmailService(new BaseClientService.Initializer()
                    {
                        HttpClientInitializer = credential,
                        ApplicationName = "Gmail Authentication Sample",
                    });
                }
                else
                {
                    throw new Exception("Unsupported Service accounts credentials.");
                }

            }
            catch (Exception ex)
            {                
                throw new Exception("CreateServiceAccountGmailFailed", ex);
            }
        }
    }
}

note

service3.Users.Messages.List(email).Execute();  

me is going to be the service account which does not have any emails. You need to use a user. You need to supply the email address of the user whos email you would like to access. This again must be a user on the gsuite domain.