Gmail API with service account- Precondition check failed #2322
Comments
|
I figured out how to solve the issue. I would like to sbumit a pull request for this issue to add a sample to the gmail sample library. It would look something like this (can work on refactoring to match code style in other samples if you give me the go-ahead on submitting a PR): const path = require('path');
const {google} = require('googleapis');
async getMessageList(userId, qty) {
const JWT = google.auth.JWT;
const authClient = new JWT({
keyFile: path.resolve(__dirname, 'google-key.json'),
scopes: ['https://www.googleapis.com/auth/gmail.readonly'],
subject: '[email protected]' // google admin email address to impersonate
});
await authClient.authorize(); // once authorized, can do whatever you want
const gmail = google.gmail({
auth: authClient,
version: 'v1'
});
const response = await gmail.users.messages.list({
includeSpamTrash: false,
maxResults: qty,
q: "",
userId: userId
});
// the data object includes a "messages" array of message data
return response.data;
} |
JustinBeckwith
added
the
type: question
|
@vettloffah What was the actual fix here? I am running into the same issue and have not been able to come up with a solution. |
|
@cpereyra5199 i posted the solution in my last comment. You have to delegate the service to a specific user using JWT authentication |
|
@vettloffah I would like to know "if you have used a service account for authorization?" |
|
I have actually tried something similar with GoogleAuth. I didn't understand what went wrong here. |
|
I have found another issue with a similar error here |
|
The Gmail API isn't intended to be used with service accounts (other than domain-wide delegation use cases.) You need to be acting as a real user -- either using oauth credentials obtained with user consent, or in the case of a Gsuite domain, using a service account delegating/impersonating a real user. I'll file a bug to make the error message clearer, but it's likely that the failed precondition is that the service account isn't a valid gmail user. |
|
Greetings, we're closing this. Looks like the issue got resolved. Please let us know if the issue needs to be reopened. |
This is ridiculous. |
|
So it has to be able to impersonate any user or none at all? Isn't that a pretty significant security risk? |
|
Impersonation is neither required nor encouraged. Use regular OAuth 2. Most of the conversation has been about wanting to use the gmail API with a service account where the service account is running as it's own identity. That isn't supported as gmail is inherently a product for human users. Service accounts with delegation is an option for some enterprise use cases, and the scope of delegation is users within that org. There are handful of operations that actually require delegation, and that's mostly for security reasons. Settings that create forwarding rules are particularly sensitive as those forwarding rules persist even after a user has revoked access to an app. Anything guarded by https://www.googleapis.com/auth/gmail.settings.sharing is in that camp. But the rest of the API no service accounts and no delegation required. |
|
@sqrrrl iiuc, if I wanted to auth with the gmail API for my personal inbox, it seems I need to make the oauth client screen and get app approval since I do not have a Google Workspace. Is this correct/suggested approach? Since its just for testing, I wonder if there's a faster way before getting app approval |
I'm trying to connect with the google API's for the first time, and when I attempt to make a request to the gmail API I'm getting a
Precondition check failederror. I am using a service account authorization, not Oauth2 user consent. Things I've tried:This is adapted from a sample, but the sample did not use service account auth so I wasn't able to use the sample directly.
returning
Error: Precondition check failed.The text was updated successfully, but these errors were encountered: