I am trying to set up domain wide delegation with Google so I can have access to a workspace calendar. I've followed through the documentation and here is what I've got so far:

• Service account for the app is set up
• Google Calendar API is enabled for this account
• Generated and saved JSON key
• Added app's account Client ID to Security -> API Controls -> Domain-wide Delegation with correct scopes

App's service account:

Workspace:

And here is my simple Ruby code for retrieving a simple calendar event:

google_calendar_service = ::Google::Apis::CalendarV3::CalendarService.new
google_calendar_service.authorization ::Google::Auth::ServiceAccountCredentials.make_creds(json_key_io: File.open(PATH_TO_JSON_FILE), scope: MY_SCOPES)

google_calendars.get_event(owner_email, event_id)

Both owner_email and event_id are correct as I have a working code that uses OAuth2 and it can get the event as expected.

What am I missing?

CodePudding user response：

You need to add the subject that you are going to delegate as. This needs to be the user on your domain which you want the service account to act on behalf of

Check the authorizer.sub line.

 authorizer = Google::Auth::ServiceAccountCredentials.make_creds(
      json_key_io: StringIO.new(File.read AppConfig[:credentials_file]),
      scope: AppConfig[:cal_scope]).dup
    authorizer.sub = @person
    authorizer.fetch_access_token!