SA not working

[hyperknot]

Describe the bug I did the SA account JSON key on a paid account as written. It doesn't work.

To Reproduce Steps to reproduce the behavior:

Run

gwbackupy --service-account-key-filepath sa.json gmail backup --email [email protected]

INFO 2023-08-08 13:33:10,814 - Starting backup for [email protected]
INFO 2023-08-08 13:33:10,814 - Scanning backup storage...
INFO 2023-08-08 13:33:10,814 - Stored items: 0
INFO 2023-08-08 13:33:10,814 - Backing up labels...
INFO 2023-08-08 13:33:10,814 - Getting labels from server ([email protected])
INFO 2023-08-08 13:33:10,816 - file_cache is only supported with oauth2client<4.0.0
INFO 2023-08-08 13:33:10,818 - Attempting refresh to obtain initial access_token
INFO 2023-08-08 13:33:10,820 - Refreshing access_token
INFO 2023-08-08 13:33:10,981 - Failed to retrieve access token: {
  "error": "unauthorized_client",
  "error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}

Desktop (please complete the following information): Ubuntu Linux CLI

[hyperknot]

I've found the following writeup about delegating domain-wide authority, but it still doesn't work. https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority

What is the scope I might need to add there?

[hyperknot]

Found the correct scope on the GAM wiki https://github.com/GAM-team/got-your-back/wiki#google-workspace-admins

[kamarton]

@hyperknot Did you generate SA access based on this guide? Service Account Setup

[hyperknot]

Yes, but the last part is missing. Steps 12-16 in the linked GYT wiki.

[petrovicivan]

Scope https://mail.google.com/ in domain-wide authority is working

[kamarton]

The documentation is incomplete and incorrect. Domain-wide authorization is required for SA operation.

In editing the SA on the cloud console. Domain-wide delegation https://mail.google.com/ scope is enough.