clasp icon indicating copy to clipboard operation
clasp copied to clipboard
verified publisher icon google

Can't push scripts by service account

Open choreo opened this issue 8 months ago • 6 comments

Hi. I connected Apps Script with Google Cloud project and created a service account.

As README says,

To use a service account to push or pull files from Apps Script, the scripts must be shared with the service account with the appropriate role (e.g. Editor in able to push.)

I shared the script with the account's email ( [email protected] ) as Editor. $ clasp pull --adc was successful.

$ clasp pull --adc
└─ dist/appsscript.json
└─ dist/index.js
Pulled 2 files.

But I got this when I ran $ clasp push --adc

User has not enabled the Apps Script API. Enable it by visiting https://script.google.com/home/usersettings then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.

Sorry if I miss some configurations and this is not an issue. But at this moment, the App Script document (the link is also provided at the bottom of README ) says

The Apps Script API does not work with service accounts.

I was wondering if push or deploy is ever possible. I am not sure if this is related, but Domain-wide delegation scope for the service account is like this.

https://www.googleapis.com/auth/script.projects
https://www.googleapis.com/auth/script.deployments
https://www.googleapis.com/auth/script.webapp.deploy
https://www.googleapis.com/auth/drive.metadata.readonly
https://www.googleapis.com/auth/drive.file
https://www.googleapis.com/auth/service.management
https://www.googleapis.com/auth/logging.read
https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile
https://www.googleapis.com/auth/cloud-platform
https://www.googleapis.com/auth/drive

Specifications

  • Node version (node -v):v22.14.0
  • Version (clasp -v):3.0.3-alpha
  • OS (Mac/Linux/Windows):Mac

choreo avatar Apr 11 '25 13:04 choreo

Did you enable the AppsScript API in your GCP project?

Domain-wide delegation is for impersonating other accounts to access their data. It needs a specially crafted request that specifies which account it is impersonating. Clasp doesn't do this.

Nu11u5 avatar Apr 12 '25 15:04 Nu11u5

Yes, AppsScript API is listed on "API & Services" page of my Google Cloud console...

choreo avatar Apr 12 '25 23:04 choreo

Yeah, I had only tested with pull and mistakenly assumed that if that worked push would as well -- that "enable apps script API" setting should apply to all operations in the API. But possible that the fact that it works for pulls is more of a bug than a feature :/

In any case, will see if we can get that enabled by default for service accounts

sqrrrl avatar Apr 14 '25 21:04 sqrrrl

Hi @sqrrrl! Appreciate the transparency in your response -- is there any update you can give on getting service account perms enabled to push to the apps script API? My team is looking at using the workarounds described by a few other users in related issues (updating creds in GH actions à la https://github.com/ericanastas/deploy-google-app-script-action), but it would be great to know if it's looking like the service account / ADC method will be viable in the near future.

ghaskins99 avatar Jun 19 '25 21:06 ghaskins99

Hi, I was facing the same issue, and I managed to resolve it by linking the Google Cloud project number (not the project ID) in the App Script project settings.

denizformsapp avatar Jul 25 '25 06:07 denizformsapp

Hi, I was facing the same issue, and I managed to resolve it by linking the Google Cloud project number (not the project ID) in the App Script project settings.

It only accepts the project number, still doesn't work for me.

Also report at https://issuetracker.google.com/issues/442055772

jddcef avatar Aug 31 '25 14:08 jddcef