How to fix google ads api unathorized error when using service account
I'm doing azure function which should regularly get ad reports from Google Ads API and save it to CSV. Copying code from Google documentation left me with this
public static void Run([TimerTrigger("0 22 12 * * *")] TimerInfo myTimer, ILogger log) { log.LogInformation($"C# Timer trigger function executed at: {DateTime.Now}"); RunRequest(new GoogleAdsClient(new GoogleAdsConfig() { DeveloperToken = "/*token*/", OAuth2Mode = OAuth2Flow.SERVICE_ACCOUNT, OAuth2PrnEmail = "/*service account email*/", OAuth2SecretsJsonPath = "/*service account json*/" }), "/*client id*/", log); } public static void RunRequest(GoogleAdsClient client, string customerId, ILogger log) { // Get the GoogleAdsService. GoogleAdsServiceClient googleAdsService = client.GetService( Services.V5.GoogleAdsService); // Create the query. string query = @"/*request*/"; try { // Issue a search request. googleAdsService.SearchStream(customerId, query, delegate (SearchGoogleAdsStreamResponse resp) { using var writer = new StreamWriter($"reports\\report{DateTime.Now}.csv"); using var csv = new CsvWriter(writer, CultureInfo.InvariantCulture); csv.WriteRecords(Report.BuildReports(resp.Results)); } ); } catch (GoogleAdsException e) { log.LogInformation("Failure:"); log.LogInformation($"Message: {e.Message}"); log.LogInformation($"Failure: {e.Failure}"); log.LogInformation($"Request ID: {e.RequestId}"); throw; } }
Executing this code gives me an exception with this content:
"Status(StatusCode="Unauthenticated", Detail="Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project."
As I understand I don't need OAuth2 access token when using service account. How to fix this problem, what am I missing?
As mentioned in the authorization section of the reference documentation, you can only use service accounts if you have a G Suite (now called Google Workspace) domain.
You'll need to set up domain-wide delegation for the given OAuth client and then do a user impersonation for a G Suite account that has access to the Google Ads accounts you need to work with.