Google-api-nodejs-client: service account with owner rights has insufficient permissions

@fel-dev any updates?

Hey @lfreneda ,

It finally worked, I don't remember what I changed exactly but saw this comment in my code:

// Didn't work, waited a few days, worked. Permissions probably need time to propagate.
publisher.purchases.subscriptions.get({
                packageName: packageName,
                ...

So maybe try waving a dead chicken over your code and come back a few days later, it worked for me!

@fel-dev I couldn't find any documentation that says "few days are required in order to propagate correctly the permissions". I also wrote an email to Google support asking a bunch of questions including this one but still no response from them. I did the same as you described in the issue - giving administrator permissions to my service account from both Developer console and the Google play console. Seems to be blocking issue with high priority since we are not able to validate in-app purchase within server side. Any updates what actually happens here?

@luboganchev Yeah, I also couldn't find any documentation about permissions needing time to propagate, maybe that's not the issue at all. But I remember quite clearly leaving the code aside for some more urgent task, then coming back to it a few days later and it all worked on first try before I changed anything. As unhelpful as that might be, it's really all I've got for you.

Again, I reserve myself the right to be wrong...

Thanks for your help of course but how we can escalate this problem and some tech guy from Google to take a look at this blocking issue?

Just to inform what's happening with my case. From the time when I setup full privileges to my service account to actual propagating the permissions from Google, it takes 24 hours. So if someone gives admin access to his/her own service account it should wait at least one day in order to verify In-App purchase from the server side. It will be great if Google representative document this behavior in order to be more transparent for further users.

any delay if this lagging happens for permission upgrades to other services as well? I am trying to setup domain wide delegation for connecting a service account with gsuite and ever though I followed every steps on every guide out there - Google wasn't very helpful in this regard - I still get unauthorized calls citing lack of permissions.

any delay if this lagging happens for permission upgrades to other services as well? I am trying to setup domain wide delegation for connecting a service account with gsuite and ever though I followed every steps on every guide out there - Google wasn't very helpful in this regard - I still get unauthorized calls citing lack of permissions.

Probably for each Google service is implemented the same permissions propagating functionality with some Message Queue or Background Job running on some interval of time.

I had the same problem: The current user has insufficient permissions to perform the requested operation.

It was resolved after waiting for 24-48 hours without touching the code. The same code / access key that was denied access previously suddenly started working. I am not exactly sure how long the wait has to be, in my experience it is closer to the 48h mark.

P.S. My sample code in Python:

import httplib2

from googleapiclient.discovery import build
from oauth2client.service_account import ServiceAccountCredentials

credentials = ServiceAccountCredentials.from_json_keyfile_name('api.json', scopes='https://www.googleapis.com/auth/androidpublisher')

http = httplib2.Http()
http = credentials.authorize(http)

service = build("androidpublisher", "v3", http=http)
purchases = service.purchases()
subscriptions = purchases.subscriptions()
get = subscriptions.get(
    packageName='foo',
    subscriptionId='bar',
    token='baz'
)
result = get.execute()
print(result)

I have found out that the issue is indeed not on the client side. I have a piece of code that works, but only once out of 4 times. Yesterday not at all. Perhaps tomorrow every time?

Right now, frequently I get the The current user has insufficient permissions to perform the requested operation. message, and every once in a while I get the proper receipt validation. It seems that my service account is not fully propagated yet over all API handling servers somehow..

_Update one day later: I can verify, it now totally works as it should. So first, it did not work, then after a day or so every once in a while and now fully. So you need indeed 48h before your service account is fully working._

I have the same problem. Created an account and gave permissions around an hour ago. Will wait and report back after some time.

Around 26 hours and the error disappeared. I have not made any changes to the code.

This does seem like either a bug, or at least behavior that needs to be better documented; labeling as such 👍

I am also experiencing same issue here. I am able to read publisher.inappproducts.list({successfully. But i am getting "The current user has insufficient permissions to perform the requested operation." for
publisher.purchases.subscriptions.get({ packageName: packageName, ...

I waited for 24 hrs. I still see the same error. Any suggestions, in addition to wait for another 24 hours. Thanks.

I have discussed this issue with the external product team. It's a known issue that it can take up to 24 hours for account changes to be reflected in the Subscriptions API, i.e., folks haven't been imagining this.

I'm working with Googlers currently to either document this limitation, or address the bug :+1:

@thejask 18 days _is not_ the expected behavior. I wonder if there's a chance you didn't give permissive enough permissions to your service account, following @luboganchev's advice, something along the lines of:

FYI: Seems like I just had to wait about 4 days (!) in order to get rid of the "insufficient permissions" message after setting up a service account & linking it in the Google Play console. Had already given up any hope.

Is 'Financial data' permission enough for getting subscription data? (or) Need to give full permission to the service account? Please help.

Hi @Dhineshss and to everyone,

One thing that helps me was to add another subscription product on play store developer console. After that, I was able to fetch the API using the service account I created linked and granted to the console.

I hope this can help, or if not, you may try other suggestions.

I ran into this error as well today. I set up a fresh Service Account user and granted it all permissions and I get auth errors when calling publisher.purchases.subscriptions.get. However, I noticed I have access to at least one other route (publisher.inappproducts.list), so it's weird that only some of the permissions are propagating slower than others. I just wish there was some feedback so I know that waiting isn't just going to be wasting time.

Edit: The auth errors went away. It took about 48 hours for my permissions to propagate.

Why is this so slow ?
EDIT: After I created a new Managed Product, it immediately started to work. Triggered something probably.

Is there any update on this? Setting service accounts up with owner permission does not propagate within a day. Would expect this to be instant.

cc: @bcoe

After I did some updates to my subscription products (try edit description of your product and save), I instantly get permission.

Hi, I have waited 24 hours and it still not working. I also edited my product and I still have 'The current user has insufficient permissions to perform the requested operation.'

Do I have to follow this documentation https://developers.google.com/android-publisher/authorization ? I have now an access_token and a refresh_token and what am I supposed to do with googleapis ?

Experiencing the same with the https://www.googleapis.com/androidpublisher/v3/../edits api after creating service account with project owner role... Will wait and see if this is resolved within 48 hours.

After I did some updates to my subscription products (try edit description of your product and save), I instantly get permission.

This truly WORKED !!! Instantly and magically ! Just make a little change in subscription product name or description and save it. The error will be gone. No need to wait for 24 hours or any minute.

I am still facing the same problem even after updating the in-app products.

{ "error": { "code": 401, "message": "The current user has insufficient permissions to perform the requested operation.", "errors": [ { "message": "The current user has insufficient permissions to perform the requested operation.", "domain": "androidpublisher", "reason": "permissionDenied" } ] } }.

I tried modifying the in-app product description like adding a whitespace and dot in the end. And also waited for 48 hours but still nothing worked.

@kolagit Can you help me fix this?

Thanks

I am also encountering the 401 error with the same message, though I am using the edits.commit endpoint. The strange thing is that I only encounter this error for a specific package, and the error only started appearing after 11/4. All uploads for the said package were successful previously, and all other package uploads are still successful currently.

I got this issue fixed by making changes to the service account. Please follow these steps to configure and link your service account.

I got this issue fixed by making changes to the service account. Please follow these steps to configure and link your service account.

Thanks for the recommendation. My previous service account was still working for all my other packages and I didn't want to invalidate it, so I just changed the account permissions in the hope that it will fix it. Sadly no.

Then I created a new service account and granted the permissions, created json keys, waited for 48 hours.

So now in my Google Play Console API Access settings, I have 2 service accounts. My old service account is still working for all other packages but not working for one particular package, and my new service account doesn't work for any of the packages and gets theThe caller does not have permission error when I call the edits.commit endpoint.