Google Analytics API: "User does not have sufficient permissions for this account."

David Elner picture David Elner · Jan 6, 2014 · Viewed 58.5k times · Source

I'm writing a Ruby app that accesses the Google Analytics API to pull down some experiment information.

The app connects and authenticates using a Google Service Account via the following function:

def connect
  ...
  @@client = Google::APIClient.new(:application_name => 'My Service App', 
                                    :application_version => '1.0.0')
  key_file = Rails.root.join('config', 'privatekey.p12').to_s
  key_secret = 'somesecret'
  key = Google::APIClient::PKCS12.load_key(key_file, key_secret)
  asserter = Google::APIClient::JWTAsserter.new(
    SECRETS[:google_service_account_email],
    ['https://www.googleapis.com/auth/yt-analytics.readonly',
     'https://www.googleapis.com/auth/analytics.readonly'
    ],
    key
  )
  @@client.authorization = asserter.authorize()
  ...
end

...which authenticates and discovers both APIs without issue.

Using the client against the YouTube Analytics API works without issue. Using the same exact account to access the Analytics API via...

response = @@client.execute({
  # 'analytics is the API object retrieved via discover_api()
  :api_method => analytics.management.experiments.list, 
  :parameters => {
    'accountId' => 'AAAAAAAA',
    'profileId' => 'PPPPPPPP',
    'webPropertyId' => 'UA-WWWWWWWW-#'
  }
})

Results in a 403 error response:

{"domain":"global","reason":"insufficientPermissions","message":"User does not have sufficient permissions for this account."}

In regards to authorization, I have double-checked the account [email protected]:

  • Has full permissions to the Google Analytics web interface. I logged in using the [email protected] account and was able to view the same Experiments I attempted to list.
  • Has enabled the Analytics API. Within the API Console, I confirmed in the Services section that the Analytics API item is switch to ON. (Just like YouTube Analytics is.)
  • I am using the appropriate AccountID, ProfileID, and WebPropertyID values. Copied directly from the Google Analytics web interface.

Given that the service account can access at least one API (YouTube Analytics), and the associated account ([email protected]) can access the Analytics web interface, there seems to be something wrong with the service account accessing the Analytics API in particular.

Any ideas?

Similar topics:

Answer

Goose picture Goose · Jan 7, 2014

Make sure you give the service account email (something like [email protected]) permissions to read/write from your GA view.

Admin > View > User Management > "Add permissions for:"