GAM-team
Service account not auth'ing as expected
The issue tracker is for reporting product deficiencies. How do I questions should be posted to the discussion forum at https://groups.google.com/group/got-your-back. When in doubt, start at the discussion forum and return here only when instructed to do so.
Please confirm the following:
- I have upgraded to the latest GYB release from https://github.com/jay0lee/got-your-back/releases and I still have this issue. Yes, this is a fresh install
- I am typing the command as described in the GAM Wiki at https://github.com/jay0lee/got-your-back/wiki Yes, although the Wiki has steps that seem to be automatically done during setup, such as creating the oauth2service json file
Full steps to reproduce the issue:
- Added the necessary scopes and waited. It's still an issue after about 30 minutes
- Hit 'y' during setup for admin use and entered a user's email address
- Received the error below. The same occurs when running
check-service-accountoutside of setup
Expected outcome (what are you trying to do?): Use a service account
Actual outcome (what errors or bad behavior do you see instead?):
Checking service account DwD for [email protected]...
Please run
gyb --action create-project
gyb --action check-service-account
to create and configure a service account.
ERROR: None
gyb --action create-project --email [email protected]
File C:\GYB\oauth2service.json already exists. Please delete or rename it before attempting to create another project.
If check-service-account is passing then you should be all set. create-project is failing because you already have a project and GYB doesn't want to overwrite it.
What happens when you actually try to use the service account to backup/restore?
Please show the FULL output of your GYB commands.
But that output doesn't confirm or deny that the service account is working. The wording is confusing because I'm telling it to check a service account and the output is telling me to create one rather than confirming one is already configured. There's no affirmation; it's basically saying "task failed successfully". I understand that create-project is throwing an error because there's already an existing one, hence my confusion as to why check-service-account is seemingly going in circles
I initially didn't try using a service account given this ambiguity and was able to do a backup/restore by logging into both the account being backed up and the one receiving the restore. I just tried and here's the output.
gyb --email [email protected] --action backup --local-folder C:\EmailBackups\Test\ --service-account
Traceback (most recent call last):
File "gyb.py", line 2817, in <module>
File "gyb.py", line 2045, in main
File "gyb.py", line 697, in buildGAPIServiceObject
File "gyb.py", line 1360, in getSvcAcctCredentials
File "google\oauth2\service_account.py", line 445, in refresh
File "google\oauth2\_client.py", line 308, in jwt_grant
File "google\oauth2\_client.py", line 279, in _token_endpoint_request
File "google\oauth2\_client.py", line 72, in _handle_error_response
google.auth.exceptions.RefreshError: ('unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.', {'error': 'unauthorized_client', 'error_description': 'Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.'})
[10008] Failed to execute script 'gyb' due to unhandled exception!
The scopes were added and approved 2 days ago when I first opened this issue.
The client ID and secret in the automatically generated client_secrets.json match the information from Google Admin