Creating events using the Google Calendar API and Service Account

1
votes

So I have setup my service account with domain wide delegation as described in this post Perform G Suite Domain-Wide Delegation of Authorit. In G Suite Admin Console I have authorized the service account to use the OAuth 2.0 scope:

https://www.googleapis.com/auth/calendar.

Every time I try to create an event I end up with this error 

GoogleJsonResponseException: 403 Forbidden
{
"code" : 403,
"errors" : [ {
"domain" : "calendar",
"message" : "Service accounts cannot invite attendees without Domain-Wide Delegation of Authority.",
"reason" : "forbiddenForServiceAccounts"
} ],
"message" : "Service accounts cannot invite attendees without Domain-Wide Delegation of Authority."
}

new GoogleCredential.Builder()
      .setTransport(HTTP_TRANSPORT)
      .setJsonFactory(JSON_FACTORY)
      .setServiceAccountId(json.get("client_id").getAsString)
      .setServiceAccountPrivateKeyId(json.get("private_key_id").getAsString)
      .setServiceAccountPrivateKey(getPrivateKeyFromPkcs8(jsonCreds.get("private_key").getAsString))
      .setServiceAccountScopes(SCOPES)
      .build()

This building the google credential. No impersonation is used, and the calendar is shared with the service account.

2
javagoogle-apigoogle-calendar-apigoogle-api-java-clientgoogle-workspace
I think you need to go back and make sure that you have set up delegation properly it seams to not have worked. Please edit your question and include your code i would like to see how you have the process setup. Make sure you have added a user to impersonate. - DaImTo
@DalmTo So, the way the integration is setup is that it does not impersonate a user, but instead the calendar is shared with the service account, and the service account has the ability to create and delete events. I can confirm that impersonating a user does indeed create the event with no issues. I inherited this integration from a previous dev, so for the most part I am trying to recreate how we have the integration set up. - JDelgado
Here is my solution step by step: stackoverflow.com/a/63715242/5212039 - Anathorn

2 Answers

3
votes

Service accounts are their own user. They have their own Google calendar account.

If you want to give a service account access to another calendar there are two ways of doing that.

  1. you could share the calendar with the Service account this will give it access to the calendar like any other user. When creating events they will be created by the service account.

  2. If you have a gsuite account as you do then you can use domain wide delegation which will allow the service account to impersonate another user then when the service account creates events the event will be created by that user.

I hope this helps to clear things up for you a bit.

3
votes

Contacted G Suite support and any service accounts made after March 2, 2020 will no longer be able to invite guests to events without using impersonation.