SA not working
Opened this issue · 6 comments
Describe the bug
I did the SA account JSON key on a paid account as written. It doesn't work.
To Reproduce
Steps to reproduce the behavior:
Run
gwbackupy --service-account-key-filepath sa.json gmail backup --email abc@def.com
INFO 2023-08-08 13:33:10,814 - Starting backup for abc@def.com
INFO 2023-08-08 13:33:10,814 - Scanning backup storage...
INFO 2023-08-08 13:33:10,814 - Stored items: 0
INFO 2023-08-08 13:33:10,814 - Backing up labels...
INFO 2023-08-08 13:33:10,814 - Getting labels from server (abc@def.com)
INFO 2023-08-08 13:33:10,816 - file_cache is only supported with oauth2client<4.0.0
INFO 2023-08-08 13:33:10,818 - Attempting refresh to obtain initial access_token
INFO 2023-08-08 13:33:10,820 - Refreshing access_token
INFO 2023-08-08 13:33:10,981 - Failed to retrieve access token: {
"error": "unauthorized_client",
"error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}
Desktop (please complete the following information):
Ubuntu Linux CLI
I've found the following writeup about delegating domain-wide authority, but it still doesn't work.
https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority
What is the scope I might need to add there?
Found the correct scope on the GAM wiki
https://github.com/GAM-team/got-your-back/wiki#google-workspace-admins
@hyperknot Did you generate SA access based on this guide? Service Account Setup
Yes, but the last part is missing. Steps 12-16 in the linked GYT wiki.
Scope https://mail.google.com/ in domain-wide authority is working
The documentation is incomplete and incorrect. Domain-wide authorization is required for SA operation.
In editing the SA on the cloud console. Domain-wide delegation https://mail.google.com/ scope is enough.