Google Calendar API Service Account Error

Question

Im getting this error

{ "error": 
     { "errors": 
         [
            { "domain": "calendar", "reason": "forbiddenForServiceAccounts", "message": "Service accounts cannot invite attendees without Domain-Wide Delegation of Authority." } 
         ], 
         "code": 403,
         "message": "Service accounts cannot invite attendees without Domain-Wide Delegation of Authority."
      } 
}

Already followed this https://developers.google.com/admin-sdk/directory/v1/guides/delegation

im using this library and im running it on laravel 5.7: https://github.com/spatie/laravel-google-calendar

What could be the fix for this. Please help.

Answer 1

Here are the steps to follow to make this work:

Enable Domain-Wide Delegation in your service account

1 - Provide calendar scopes to your service account

• Go to https://admin.google.com/ and login with G Suite account.
• Go to Security -> API Controls -> Domain-wide Delegation
• Add new => Set the client ID of your service account (The one that's only numbers)
• Set the following scopes: https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/calendar.events,https://www.googleapis.com/auth/admin.directory.resource.calendar

2 - Your user needs to have the role Service Account Token Creator

• Go to https://console.cloud.google.com/iam-admin then
• Select your project and go to IAM in the left menu.
• Select the account that you will use to impersonate
• Click on edit
• Add role Service Account Token Creator
• Enable domain delegation for the account according to https://developers.google.com/admin-sdk/directory/v1/guides/delegation , section To enable G Suite domain-wide delegation, follow these steps .

3 - Create a Calendar in the account that you will impersonate

Service accounts don't have calendars so you have to create your own calendar

• Login in https://calendar.google.com/ with the email that you want to own the calendar (I used a different account, not the same that I was going to impersonate, maybe it works using a calendar in the impersonated account)
• Create a calendar
• Share the calendar with the service account with permissions to modify and manage the calendar
• Share the calendar with the account you will impersonate with permissions to modify and manage the calendar

Create google client

• Authenticate your service account. (I used the JSON Key, I am not sure if other authentication works for this purpose)

Code sample: (I used PHP but I assume that other languages are very similar so you can use this as guideline)

Note that using some email for IMPERSONALIZATION is crucial. Otherwise, the 403 error will remain, use it for authentication, see the Maksym Kalin response for details.

$google_client = new Google_Client();
$google_client->setAuthConfig($LOCATION_OF_JSON_KEY);
$google_client->setAccessType( 'offline' );
$google_client->setSubject('EmailToImpersonate@SomeAddress.com');
$google_client->setApplicationName("YourApplicationName");
$google_client->setScopes([\Google_Service_Calendar::CALENDAR, \Google_Service_Calendar::CALENDAR_EVENTS]);

Create Event with people invited :) and Enjoy!

Note: With this approach you can create events and invite people to it. Keep in mind the limits of the G Suite https://support.google.com/a/answer/2905486 so if you want to create many events you will need to have a pool of service accounts with a pool of calendars.

Answer 2

The purpose of granting domain-wide authority to a Service Account is for these accounts to be able to access data on behalf of users in the domain.

If you grant it domain-wide authority but are not "impersonating" any account, the Service Account is acting as if you hadn't granted this authority: it is trying to access its own Calendars.

When the Service Account impersonates another user in the domain (that is, when it acts on behalf of the user), the Service Account can access the resources this user can access.

To impersonate another user, you have to specify the user's email address. In my case, I use Node.JS library and my impersonation code looks like this:

const auth = new google.auth.JWT(
  config.client_email,
  null,
  config.private_key,
  ["https://www.googleapis.com/auth/calendar.events"],
  "!!! user email to impersonate !!!!",
);

What is more, in case you need to fill attendees[] array, you have to authorize the service account to send emails. Because you get unauthorized error.

To do it you need to add https://www.googleapis.com/auth/gmail.send scope on your G Suite domain's Admin console.

You can find more here: https://issuetracker.google.com/issues/14170493

Answer 3

Just for information

In my case, on Node.js, i followed intructions from @Anathorn, but i kept getting

Service accounts cannot invite attendees without Domain-Wide Delegation of Authority

then i add on my auth line the email what should i supplant, and it worked.

const auth = new google.auth.JWT(
    CREDENTIALS.client_email,`
    null,
    CREDENTIALS.private_key,
    SCOPES,
    "admin@domain.com",
    "12345678987654321"
);

Answer 4

For anyone else that may be running into this issue, for me it was a combination of Anathorn's answer and Maksym Kalin's answer. It was because I was not impersonating the users email address.

A user previously has tried to commit the same library you are using (I am using it too), but it was declined by the repo owner (how sad)

https://github.com/spatie/laravel-google-calendar/pull/97

Anyway, his code here was how I fixed it on my end.

Good luck for anyone else who has this issue, its been a pain in my ass for far too long.

Answer 5

For those using the googleapis-nodejs-client library a solution was brought on a issue in the google-auth-library-nodejs github page .

Doing all conf steps from @Anathorn and logging the service account this way worked for me :

const auth = new google.auth.GoogleAuth({
keyFile: './service.json',
scopes: [
  'https://www.googleapis.com/auth/calendar',
  'https://www.googleapis.com/auth/calendar.events'
],
clientOptions: {
  subject: 'email@email.com'
},

});