- Notifications
You must be signed in to change notification settings - Fork262
Description
A service account is created and the spreadsheet is shared with the service account e-mail. However when using sheetsV4 as below the error that comes back is
forbidden: Method doesn't allow unregistered callers (callers without established identity)
Details
/home/david/programs/chihiro/.bundler/ruby/3.4.0/gems/google-apis-core-0.18.0/lib/google/apis/core/http_command.rb:244:in 'Google::Apis::Core::HttpCommand#check_status': forbidden: Method doesn't allow unregistered callers (callers without established identity). Please use API Key or other form of API consumer identity to call this API. (Google::Apis::ClientError)from /home/david/programs/chihiro/.bundler/ruby/3.4.0/gems/google-apis-core-0.18.0/lib/google/apis/core/api_command.rb:135:in 'Google::Apis::Core::ApiCommand#check_status'from /home/david/programs/chihiro/.bundler/ruby/3.4.0/gems/google-apis-core-0.18.0/lib/google/apis/core/http_command.rb:207:in 'Google::Apis::Core::HttpCommand#process_response'from /home/david/programs/chihiro/.bundler/ruby/3.4.0/gems/google-apis-core-0.18.0/lib/google/apis/core/http_command.rb:331:in 'Google::Apis::Core::HttpCommand#execute_once'from /home/david/programs/chihiro/.bundler/ruby/3.4.0/gems/google-apis-core-0.18.0/lib/google/apis/core/http_command.rb:131:in 'block (2 levels) in Google::Apis::Core::HttpCommand#do_retry'from /home/david/programs/chihiro/.bundler/ruby/3.4.0/gems/retriable-3.1.2/lib/retriable.rb:61:in 'block in Retriable.retriable'from <internal:numeric>:257:in 'Integer#times'from /home/david/programs/chihiro/.bundler/ruby/3.4.0/gems/retriable-3.1.2/lib/retriable.rb:56:in 'Retriable.retriable'from /home/david/programs/chihiro/.bundler/ruby/3.4.0/gems/google-apis-core-0.18.0/lib/google/apis/core/http_command.rb:128:in 'block in Google::Apis::Core::HttpCommand#do_retry'from /home/david/programs/chihiro/.bundler/ruby/3.4.0/gems/retriable-3.1.2/lib/retriable.rb:61:in 'block in Retriable.retriable'from <internal:numeric>:257:in 'Integer#times'from /home/david/programs/chihiro/.bundler/ruby/3.4.0/gems/retriable-3.1.2/lib/retriable.rb:56:in 'Retriable.retriable'from /home/david/programs/chihiro/.bundler/ruby/3.4.0/gems/google-apis-core-0.18.0/lib/google/apis/core/http_command.rb:118:in 'Google::Apis::Core::HttpCommand#do_retry'from /home/david/programs/chihiro/.bundler/ruby/3.4.0/gems/google-apis-core-0.18.0/lib/google/apis/core/http_command.rb:109:in 'Google::Apis::Core::HttpCommand#execute'from /home/david/programs/chihiro/.bundler/ruby/3.4.0/gems/google-apis-core-0.18.0/lib/google/apis/core/base_service.rb:507:in 'Google::Apis::Core::BaseService#execute_or_queue_command'from /home/david/programs/chihiro/.bundler/ruby/3.4.0/gems/google-api-client-0.53.0/generated/google/apis/sheets_v4/service.rb:167:in 'Google::Apis::SheetsV4::SheetsService#get_spreadsheet'from main.rb:25:in '<main>'This makes no sense because the service account is basically its own identity. It is completely unclear how this "identity" is determined or how we can establish an identity to this service account, whatever that means. This may be an issue with the way the library code is calling the API because this sometimes works on other google accounts.
The code:
require'google/apis/sheets_v4'require'googleauth'SCOPES=['https://www.googleapis.com/auth/drive','https://www.googleapis.com/auth/spreadsheets']auth=Google::Auth::ServiceAccountCredentials.make_creds(json_key_io:File.open('service_account.json'),scopes:SCOPES)sheet=Google::Apis::SheetsV4::SheetsService.newsheet.authorization=authpsheet.get_spreadsheet('1T7kwW5-Hu1idYh1I6CpqgRHUj3SWCtVLP2qljTFL3hs')
If you read up to here
It is a difficult mistake to spot. The keyscopes does not exist. It needs to bescope (singular)
Recommendation
#make_creds should throw an error if the key provided is not a known or expected one. This needs to be tight, and should not be open to all sorts of options. Hopefully the team will consider this to reduce confusion during use of the API.