问题
I am trying to pull my reports from YouTube reporting API and upload them into GCS. Since I must use oauth2, I used Google's guide on creating a service account and giving it domain-wide authority. While I can get authenticated service to pull the reports at user level. I get "The caller does not have permission" when appengine runs the request. Any idea where to look next?
SCOPES = ['https://www.googleapis.com/auth/yt-analytics-monetary.readonly',
'https://www.googleapis.com/auth/youtubepartner-content-owner-readonly',
'https://www.googleapis.com/auth/devstorage.read_write']
SERVICE_ACCOUNT_FILE = 'file.json'
credentials = service_account.Credentials.from_service_account_file(
SERVICE_ACCOUNT_FILE, scopes=SCOPES)
delegated_credentials = credentials.with_subject('email@email.com')
storage_client = build('storage', 'v1', credentials=credentials)
youtube_reporting = build('youtubereporting', 'v1',
credentials=credentials)
Traceback:
Traceback (most recent call last):
File "/base/alloc/tmpfs/dynamic_runtimes/python27/b93f87cfaa0115e5_unzipped/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 1535, in __call__
rv = self.handle_exception(request, response, e)
File "/base/alloc/tmpfs/dynamic_runtimes/python27/b93f87cfaa0115e5_unzipped/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 1529, in __call__
rv = self.router.dispatch(request, response)
File "/base/alloc/tmpfs/dynamic_runtimes/python27/b93f87cfaa0115e5_unzipped/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 1278, in default_dispatcher
return route.handler_adapter(request, response)
File "/base/alloc/tmpfs/dynamic_runtimes/python27/b93f87cfaa0115e5_unzipped/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 1102, in __call__
return handler.dispatch()
File "/base/alloc/tmpfs/dynamic_runtimes/python27/b93f87cfaa0115e5_unzipped/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 572, in dispatch
return self.handle_exception(e, self.app.debug)
File "/base/alloc/tmpfs/dynamic_runtimes/python27/b93f87cfaa0115e5_unzipped/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 570, in dispatch
return method(*args, **kwargs)
File "/base/data/home/apps/s~test-project-67412/20180712t103610.411083715789214207/main.py", line 66, in get
jobs = list_jobs(youtube_reporting, ContentOwner, True)
File "/base/data/home/apps/s~test-project-67412/20180712t103610.411083715789214207/main.py", line 52, in list_jobs
includeSystemManaged=True).execute()
File "/base/data/home/apps/s~test-project-67412/20180712t103610.411083715789214207/lib/googleapiclient/_helpers.py", line 130, in positional_wrapper
return wrapped(*args, **kwargs)
File "/base/data/home/apps/s~test-project-67412/20180712t103610.411083715789214207/lib/googleapiclient/http.py", line 840, in execute
raise HttpError(resp, content, uri=self.uri)
HttpError: <HttpError 403 when requesting https://youtubereporting.googleapis.com/v1/jobs?onBehalfOfContentOwner=ContentOwner&alt=json&includeSystemManaged=true returned "The caller does not have permission">
--UPDATE-- So I guess it had to do with Domain-wide authority for service account. I deleted the account, created a new one, gave it domain-wide authority, and it works just fine now.
来源:https://stackoverflow.com/questions/51291769/appengine-server-to-server-authentication-and-google-domain-wide-authority