3

I am attempting to get get a Ruby on Rails project that uses the Google AdWords API.

What I did so far, following the steps in this guide:

  • I created an AdWords Manager account.
  • I created a test account that is part of the AdWords Manager account.
  • I set up the Ruby client library in my Rails project.
  • I then attempted to set up OAuth2 authentication with the example code from the guide.

However since the guide was written (and the video version of the guide was made) it seems that the interface has changed. I am able to create a Client ID client_secrets.json-file, or a Service Account .json file. I am able to export these and read the settings from .

  • I added the required settings, using an OAUTH2_SERVICE_ACCOUNT .json file.

Now, when attempting to connect, I get back the AdwordsAPIException AuthenticationError.NOT_ADS_USER.

I therefore know that the actual authentication works. However, the authorization does not.

How can I turn on AdWords API support for the oAuth credentials from my google accounts? The Google Credentials Console lists many APIs that you can turn on, but the AdWords API is not in there. The AdWords guide does not mention turning on an API at all, and only tells you to create a new Credential.

What is going on here?

Qqwy
  • 5,214
  • 5
  • 42
  • 83

1 Answers1

2

The Adwords API does not need to be added to your project in the Google Cloud console (it's always enabled)—as indicated by the error message, the actual problem lies in the fact that your service account does not have access to any Adwords accounts.

As a matter of fact, the only way to use service accounts to authenticate against the Adwords API is when you're also using a G Suite domain (see the corresponding documentation, section "Prerequisites".

If you have a G Suite domain, you'll need to

  • Enable "G Suite Domain-wide Delegation" on your service account key

  • Add the project ID of the Google cloud project to your G Suite domain's authorized API client list

  • Use your service account to impersonate any user from your G suite domain that has Adwords access

As you can see, it's quite an involved process. My recommendation (that is shared by the above article) is to use an OAuth2 installed application flow for any user that has Adwords access. This requires to store the obtained refresh token on your end, but is more flexible (and arguably safer) than a delegation-enabled service account and easier to set up.

dorian
  • 5,667
  • 1
  • 19
  • 36
  • Damn I've seriously looked through 100 threads related to this bullshit and yours was the first helpful one. The step I was missing was adding to the 'authorized client' list, and adding a user to impersonate. Now I have a new error though... `AuthorizationError.USER_PERMISSION_DENIED`. Am I supposed to use the global MCC account rather than my test MCC? (My dev token isnt approved yet). If I use my master MCC I get the above error, but if I use my test MCC I made I get this error: `Client is unauthorized to retrieve access tokens using this method.` – Tallboy Feb 02 '18 at 08:01
  • 1
    USER_PERMISSION_DENIED would indicate that the *impersonated user* whose OAuth2 grant you created using the the service account does not have access to the Adwords account ID that you specify. – dorian Feb 02 '18 at 15:18