I am trying to set up domain wide delegation with Google so I can have access to a workspace calendar. I've followed through the documentation and here is what I've got so far:
- Service account for the app is set up
- Google Calendar API is enabled for this account
- Generated and saved JSON key
- Added app's account Client ID to Security -> API Controls -> Domain-wide Delegation with correct scopes
App's service account:
Workspace:
And here is my simple Ruby code for retrieving a simple calendar event:
google_calendar_service = ::Google::Apis::CalendarV3::CalendarService.new
google_calendar_service.authorization ::Google::Auth::ServiceAccountCredentials.make_creds(json_key_io: File.open(PATH_TO_JSON_FILE), scope: MY_SCOPES)
google_calendars.get_event(owner_email, event_id)
Both owner_email
and event_id
are correct as I have a working code that uses OAuth2 and it can get the event as expected.
What am I missing?
CodePudding user response:
You need to add the subject that you are going to delegate as. This needs to be the user on your domain which you want the service account to act on behalf of
Check the authorizer.sub line.
authorizer = Google::Auth::ServiceAccountCredentials.make_creds(
json_key_io: StringIO.new(File.read AppConfig[:credentials_file]),
scope: AppConfig[:cal_scope]).dup
authorizer.sub = @person
authorizer.fetch_access_token!