1

I'm using google python libraty to request ANR data for my app, script is very simple

from google_auth_oauthlib.flow import InstalledAppFlow
from googleapiclient.discovery import build

# The CLIENT_SECRETS_FILE variable specifies the name of a file that contains
# the OAuth 2.0 information for this application, including its client_id and
# client_secret.
CLIENT_SECRETS_FILE = "client_secret.json"

# This access scope grants read-only access to the authenticated user's apps
SCOPES = ['https://www.googleapis.com/auth/androidpublisher']
API_SERVICE_NAME = 'playdeveloperreporting'
API_VERSION = 'v1beta1'
ANR_METHOD_NAME = 'apps/com.my.app/anrRateMetricSet'

flow = InstalledAppFlow.from_client_secrets_file(
    CLIENT_SECRETS_FILE,
    scopes=SCOPES)


def get_authenticated_service():
    flow = InstalledAppFlow.from_client_secrets_file(CLIENT_SECRETS_FILE, SCOPES)
    credentials = flow.run_local_server(host='localhost',
                                        port=5000,
                                        authorization_prompt_message='Please visit this URL: {url}',
                                        success_message='The auth flow is complete; you may close this window.',
                                        open_browser=True)
    return build(API_SERVICE_NAME, API_VERSION, credentials=credentials)


def getAnrReport():
    report_service = get_authenticated_service()
    vitals = report_service.vitals()
    anr = vitals.anrrate()
    userPerceivedAnrRate7dUserWeighted = anr.get(name=ANR_METHOD_NAME, x__xgafv='2').execute()
    report_service.close()


# ...
if __name__ == '__main__':
    getAnrReport()

But for some reason I get an error

googleapiclient.errors.HttpError: 
HttpError 403 when requesting https://playdeveloperreporting.googleapis.com/v1beta1/apps/com.my.app/anrRateMetricSet?%24.xgafv=2&alt=json 
returned "Request had insufficient authentication scopes.". 
Details: "[{'@type': 'type.googleapis.com/google.rpc.ErrorInfo', 'reason': 'ACCESS_TOKEN_SCOPE_INSUFFICIENT', 'domain': 'googleapis.com', 'metadata': {'method': 'google.play.developer.reporting.v1beta1.VitalsService.GetAnrRateMetricSet', 'service': 'playdeveloperreporting.googleapis.com'}}]"

Documentation https://developers.google.com/play/developer/reporting/reference/rest/v1beta1/vitals.anrrate/get says

Authorization Scopes Requires the following OAuth scope:

https://www.googleapis.com/auth/playdeveloperreporting

Higher level documentation https://developers.google.com/play/developer/reporting/reference/rest/v1beta1/vitals.anrrate says

Required permissions: to access this resource, the calling user needs the View app information (read-only) permission for the app.

I do have that permission and my google user can access app info and ANR rate in Google Play Console. I'm also requesting playdeveloperreporting scope as per documentation, but the scope is insufficient for some reason, what am I doing wrong?

Note: scope in my script is https://www.googleapis.com/auth/androidpublisher

Documentation says it should be https://www.googleapis.com/auth/playdeveloperreporting but such scope cannot be requested due to error:

Some requested scopes cannot be shown: [https://www.googleapis.com/auth/playdeveloperreporting]
Error 400: invalid_scope
Wackaloon
  • 2,285
  • 1
  • 16
  • 33

2 Answers2

0

Found an answer in issues of this python project https://github.com/googleapis/google-api-python-client/issues/1761

the API right now only supports access with GCP service accounts

So to work with that API I need a service account, not a human one which requires to authorized through web auth.

The way to use a service account is roughly as follows:

The way to use a service account is roughly as follows:

  1. Create a GCP consumer project and get an API key for it
  2. Link your GCP consumer project to the Play Console developer account in the API access UI
  3. Create a service account (https://cloud.google.com/iam/docs/service-accounts), and download the account's key file (the equivalent of its password)
  4. "Invite" that service account to be a user of your Play Console developer, and grant at least "read only" access to some or all apps.
  5. Exchange the service account key for an OAuth token using a tool such as oauth2l.
Wackaloon
  • 2,285
  • 1
  • 16
  • 33
0

We were trying to do the same for a customer so tried different scenarii and we realised that the Service Account does not need to be from a project linked to your Play Console. So just editing @Wackaloon's Answer

1)Create a GCP consumer project and Create a service account (https://cloud.google.com/iam/docs/service-accounts), and download the account's key file (the equivalent of its password).

2)"Invite" that service account to be a user of the Play Console developer, and grant Account permissions > "View app information and download bulk reports (read-only)" to access the reports Reviews, Statistics> Installs, Crashes, Ratings, Subscriptions, add "View financial data, orders, and cancellation survey responses" for access to reports Financials> Earnings, Estimated Sales.

When granting only App permission, we were encountering the error AccessDeniedException: 403 user@project.iam.gserviceaccount.com does not have storage.objects.list access to the Google Cloud Storage bucket.

Carole Wai Hai
  • 1
  • 1