I am trying to use the GSuite Package published by UiPath. https://integrations.uipath.com/docs/gsuite-application-scope
I am trying to use the Service Account Key Authentication as the OAuth Authentication is not suitable for unattended workers. I am having issues with getting the service account to work with sending and receiving emails.
I have followed the steps to enable the gmail api and setup a service account, authorise domain wide authentication and download the json file.
Any help would be greatly appreciated!
The Gmail component works only if you authorise using OAuth2 as a service account is considered a role and is thus unable to send email. This is documented in the Gmail authentication section on Googleâs website.
On the other hand, using the Domain wide Authentication checkbox does allow the service account the right to impersonate users, and thus send emails. Use this at your own caution.
To answer your question, you are going about the right way in doing this, but the configuration on Googleâs side is not trivial. I made it when testing, and it involves being organisational admin.
The issue is with IT giving access to domain wide authentication. The scope has been configured correctly otherwise, I am now just waiting on my IT team to give the proper access.
I would like to know further information on this matter.
I face the same problem.
After writing a topic like the link below in the UiPath Forum, I found your topic.
Please tell me what Roles you gave your service account in the GCP IAM settings.
Hi @Mihai_Dunareanu
I am using Get mail message activity inside Gsuite with âServiceAccountkeyâ as authentication type. while executing i found an error as "Precondition not met[404].
My question is Will bot checks for mail to read in the service account created? or any user mail has to be defined?
Please help at the earliest.
please find the image. These are the properties i have filled
Please help me with the above mentioned query. I am at urgency.
When we use authentication type as âService accountâ , is it possible to search for the required mail at âany Gmail user accountâ or only for the account where the service account has been created? Kindly advise
A service account key is a special type of Google account that belongs to your application instead of to an individual end-user. Your application calls Google APIs on behalf of the service account, so users arenât directly involved. For more information about Service account keys, see Understanding service accounts in the Google Cloud Documentation.
@marian.platonov Hi Marian, thank you very much for the reply.
My scenario is like I want to read a mail with attachment from Gmail account using service account key authentication. I am using Get mail message activity inside Gsuite scope. Please help to do the same?
How can we indicate in which gmail user account the mail has to be searched for?
Kindly advise
Assuming that you configured correctly the Service Account in your Google Cloud console project, the UiPath the GSuite Application Scope for a ServiceAccountKey authentification should look something like this:
This is how my property panel looks like.
I gave JSON key type. is it not possible to read mail using JSON??
or the issue might be due to roles assigned while creating service accounts?
Precondition not met[400] is the error i get.
Kindly advise
When you use UiPath Apps, you allow UiPath Robots to access the data inside your Google mail account. Subsequently, you allow UiPath Robots to manipulate the data solely in accordance with your instructions. UiPath will never access, store, or process in any manner the data that you manipulate with the use of UiPath Robots and will not allow for the Robots to be used outside the userâs instructions. UiPathâs use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
You can see the full UiPath Privacy Policy for more information.
Then take a look at these properties for a Service Account Key:
Service Account Key
The property fields below are required only if your AuthenticationType value is ServiceAccountKey.
HasDomainWideAccess - If checked, the activity grants domain-wide access to the service account.
KeyPath - The path to the service account key file. This property supports String variables and string formatted values. The creation of a service account on the Google Cloud Platform generates a key file for download.
KeyType - A drop-down list that specifies the service account type according to the key file.The available property values are JSON or P12. For a P12 service account type, the Password and ServiceAccountEmail properties are required.
Password - The password for the service account. This property supports String variables and string formatted values and is required only if your KeyType value is P12.
ServiceAccountEmail - The auto-generated email address for the service account. This property supports String variables and string formatted values and is required only if your KeyType value is P12.
UserEmail - If HasDomainWideAccess is checked, the service account impersonates a user from the domain; use this field to enter the impersonated userâs email address.
@marian.platonov
Get Mail Messages: Error:âunauthorized_clientâ, Description:âClient is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.â, Uri:ââ
âclient is unauthorized to retrieve access tokens using this methodâ.
Means exactly that. The client you have set up on Google developer console is either not a service account client or the code you are using is not meant for a service account client.
Make sure that the client you created on the google developer console is a service account client.
Make sure that you enabled the Gmail API in your project.
There are a couple of things you need to keep in mind:
Service Account can not be used with Gmail account, only with Gsuite (the paid Google services). This is because you need to âDelegate domain-wide accessâ in order for the Service Account to work, and this is not possible in Gmail.
If using GSuite you should follow the steps below:
Enable Domain Wide Delegation for the Service Account, copy the Client ID
and
Ask your Gsuite admin to allow the Domain Wide Delegation (send him the Client ID). It took me a while to find out that you have to enable Domain Wide Delegation both on your own end, as well as on the Admin side. Uso de OAuth 2.0 para aplicaciones de servidor a servidor
I think this is it, but I vaguely remember having to set up the Oauth consent screen in GCP as well. If you have to configure the consent screen, just put Application Type = public, make up a name, and put your e-mail as Support Email. The consent screen wonât be shown, as youâre using a Service Account which is pre-authenticated.
@marian.platonov Thank you somuch. That really helps!!
So to conclude my understanding, Inorder to access any Gmail account using ServiceAccount in Gsuite we should make sure the Service account created has been provided with certain permissions by admin
1)Gmail API Enable
2)Enable Domain Wide Delegation on both ends(Admin and in Gsuite Activity âHas Domainwide Access=Trueâ)
Hi @marian.platonov One More Question
I am able to read Google spreadsheet using the same service Account. I am not able to make it work for the âGet Mail Messageâ Activity. Is that something i am missing out? or is it due to permissions missing on âdelegation and GMail APIâ.
Please Advise
For Google Drive, Excel it will work, but for email, it will not work due to not Enabling Domain Wide Delegation for the Service Account and configuring it.
You may reconsider other approaches for Gmail automation without GSuite in this case.