google-api-nodejs-client icon indicating copy to clipboard operation
google-api-nodejs-client copied to clipboard

Published 20 hours ago verified publisher icon googleapis

gmail.users.watch | error sending test message to Cloud PubSub projects/tms-erp-afourtech-assets/topics/gmail-watcher : User not authorized to perform this action.

Open hiteshsalavi opened this issue 3 years ago • 5 comments

I want to implement watch for new mails in INBOX for a Google Workspace email ID.

Already Verified Pointers:

  1. I've made sure that client_id from service.json file has domain wide delegated authorisation for the scope being used.
  2. I've also made sure that service account has Publisher access.
  3. I've also made sure that client_email has Publisher access from the Pub/Sub Followed this solution

Still getting

{
      message: 'Error sending test message to Cloud PubSub projects/<PROJECT_ID>/topics/gmail-watcher : User not authorized to perform this action.',
      domain: 'global',
      reason: 'forbidden'
    }

Code:

import { google, Auth } from 'googleapis';
import { resolve } from 'path';

const serviceAccountPath = resolve('./service.json')
const scopes = [
    'https://www.googleapis.com/auth/gmail.metadata'
]
const emailToBeDelegated = '[email protected]'

class GoogleAuth {
    public auth;
    constructor(serviceAccountPath: string, scopes: string[], emailToBeDelegated: string){
        this.auth = this.getAuth(serviceAccountPath, scopes, emailToBeDelegated);
    }
    public async getAuthorizedJWT () {
        await this.auth.authorize();
        return this.auth;
      };
    private getAuth = (serviceAccountPath: string, scopes: string[], emailToBeDelegated: string): Auth.JWT => {
        return new Auth.JWT({
            keyFile: serviceAccountPath,
          scopes,
          subject: emailToBeDelegated
        });
      };
}

class GMailService extends GoogleAuth {
    constructor(serviceAccountPath: string, scopes: string[], emailToBeDelegated: string){
        super(serviceAccountPath, scopes, emailToBeDelegated);
    }

    watch = async () => {
        const auth = await this.getAuthorizedJWT();
        return google.gmail({ version: 'v1' }).users.watch({auth,
            userId: 'me',
            requestBody: {
                topicName: 'projects/<PROJECT_ID>/topics/gmail-watcher',
                labelIds: ['INBOX']
            }
        })
    }
}


(async () => {
    const gMailService = new GMailService(serviceAccountPath, scopes, emailToBeDelegated);
    console.log(await gMailService.watch());
})();

hiteshsalavi avatar Nov 11 '21 12:11 hiteshsalavi

@hiteshsalavi any updates on it?? I have the same issue

RevoltEnergy avatar Jul 23 '23 14:07 RevoltEnergy

Did you solve this problem?

henr22 avatar Jul 29 '23 14:07 henr22

We have the same problem here! All roles and permissions have been added... :-(

gelpiu-developers avatar Aug 31 '23 10:08 gelpiu-developers

Did anyone figure this out? Same issue here.

Edit Found the solution in this thread. Hidden away in google's documentation is a specific service account that needs publish permissions to the topic. The error message provided from the watch method is a terrible indicator of the actually underlying issue. https://stackoverflow.com/questions/43525182/gmail-users-watch-fails-to-send-test-message-to-pubsub-with-a-dwd-service-accoun/43645610#43645610

BrentFurryBreeze avatar Oct 04 '23 15:10 BrentFurryBreeze