Can the Google Apps Script Execution API be called by a service account?

11
votes

I'd like to use a service account to access a Google Sheet via the Apps Script Execution API, but it's not clear from the documentation whether this is supported.

The steps I've tried (which result in a 403 status from the Execution API) are:

  1. Create a new (unbound) Apps Script
  2. Visit the linked Developer Console project
  3. Enable the Execution API
  4. Create a new service account within the same project (downloading the generated JSON file)
  5. Create a new Google Sheet and share it with the service account's email address (this is the step I'm least sure about)
  6. Write an apps script function that reads from the spreadsheet
  7. Run the script manually from the Script Editor (to set the scopes on the script correctly)
  8. Publish the script ("Deploy as API executable"), making it accessible to 'anyone'
  9. Mint a new OAuth2 token using the service account and the scopes linked to the script (in our case just 'https://www.googleapis.com/auth/spreadsheets')
  10. Attempt to make a call to the Execution API using the token

This is the response I got:

{
  "error": {
    "code": 403,
    "message": "The caller does not have permission",
    "status": "PERMISSION_DENIED"
  }
}

Does this not work because Service Accounts are never able to access the Execution API? Or is there something wrong with the steps above?

3
google-apps-scriptservice-accountsgoogle-apps-script-api
you might me missing the google script execution api scope on your tokenZig Mandel
Thanks - I tried to find such a scope, but I couldn't. The only ones in the list of OAuth 2.0 Scopes for Google APIs are for accessing services through the Execution API, rather than for the Execution API itself. I also spotted that the docs say "In the application code, generate an OAuth access token for the API call. This is not a token the API itself uses, but rather one the script requires." - I read that (possibly wrongly) to mean that the assertion of identity is to the services the script consumes.Stephen L
Did the answer fix your problem? Can you use the execution API with the service account?Party Ark
Having same issue here. Same id for project and the script. API execution enabled. User has access to the script, but still having issue.Maksim Luzik
@StephenL Did you ever found a solution for this problem? I'm currently having the same problem.Busata

3 Answers

12
votes

Your original 403 error indicates that you have incorrectly set up authentication for your service account. However, even if you get that working, as of now (10 Nov 2015) you cannot execute Apps Scripts via the Service Account.

It's a known bug, and is being tracked in the Apps Scripts Issue Tracker.

4
votes

Currently(2020), Service accounts cannot work with Apps script API. As written in the documentation,

Warning: The Apps Script API does not work with service accounts.

2
votes

Your problem is probably that the script is associated with the wrong project (i.e. its own project, instead of the project associated with your Service Account). Here is what you need to do:

From the Scripts editor select the following menu item: Resources > Developer Console Project.

On this screen enter the project number for your dev console.

cf this answer