GSuite Activity Gmail API Service Account Authentication

Hi all.

I am trying to use the GSuite Package published by UiPath.
https://integrations.uipath.com/docs/gsuite-application-scope
I am trying to use the Service Account Key Authentication as the OAuth Authentication is not suitable for unattended workers. I am having issues with getting the service account to work with sending and receiving emails.

I have followed the steps to enable the gmail api and setup a service account, authorise domain wide authentication and download the json file.
Any help would be greatly appreciated!

Hi Nicholas,

The Gmail component works only if you authorise using OAuth2 as a service account is considered a role and is thus unable to send email. This is documented in the Gmail authentication section on Google’s website.

On the other hand, using the Domain wide Authentication checkbox does allow the service account the right to impersonate users, and thus send emails. Use this at your own caution.

To answer your question, you are going about the right way in doing this, but the configuration on Google’s side is not trivial. I made it when testing, and it involves being organisational admin.

More info here: https://developers.google.com/+/domains/authentication/delegation

You probably just forgot to enable the gmail scope or some such detail. It should work, let me know how it went!

2 Likes

Hi @Mihai_Dunareanu,

The issue is with IT giving access to domain wide authentication. The scope has been configured correctly otherwise, I am now just waiting on my IT team to give the proper access.

Thank you!

nicholas-san,

I would like to know further information on this matter.
I face the same problem.
After writing a topic like the link below in the UiPath Forum, I found your topic.

Please tell me what Roles you gave your service account in the GCP IAM settings.

Regards,
Akio

I did not understand you have Service Account Key or you want to use OAuth…

If you are using Service Account key, you need to have service account on gsuite. and then download json file and copy it to shared location.

then in drop down many choose Service key, fill only this 2 lines and it will work.

Cheers,
Radomir

Hi @Mihai_Dunareanu
I am using Get mail message activity inside Gsuite with “ServiceAccountkey” as authentication type. while executing i found an error as "Precondition not met[404].
My question is Will bot checks for mail to read in the service account created? or any user mail has to be defined?
Please help at the earliest.
please find the image. These are the properties i have filled

Hi all,

Please help me with the above mentioned query. I am at urgency.
When we use authentication type as “Service account” , is it possible to search for the required mail at “any Gmail user account” or only for the account where the service account has been created? Kindly advise

Service account key

A service account key is a special type of Google account that belongs to your application instead of to an individual end-user. Your application calls Google APIs on behalf of the service account, so users aren’t directly involved. For more information about Service account keys, see Understanding service accounts in the Google Cloud Documentation.

@marian.platonov Hi Marian, thank you very much for the reply.
My scenario is like I want to read a mail with attachment from Gmail account using service account key authentication. I am using Get mail message activity inside Gsuite scope. Please help to do the same?
How can we indicate in which gmail user account the mail has to be searched for?
Kindly advise

Thanks

Assuming that you configured correctly the Service Account in your Google Cloud console project, the UiPath the GSuite Application Scope for a ServiceAccountKey authentification should look something like this:

@marian.platonov Thank you very much!!


This is how my property panel looks like.
I gave JSON key type. is it not possible to read mail using JSON??
or the issue might be due to roles assigned while creating service accounts?
Precondition not met[400] is the error i get.
Kindly advise

Please read carefully this documentation and configure the Properties of the GSuite Application Scope: https://docs.uipath.com/activities/docs/gsuite-application-scope

When you use UiPath Apps, you allow UiPath Robots to access the data inside your Google mail account. Subsequently, you allow UiPath Robots to manipulate the data solely in accordance with your instructions. UiPath will never access, store, or process in any manner the data that you manipulate with the use of UiPath Robots and will not allow for the Robots to be used outside the user’s instructions. UiPath’s use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
You can see the full UiPath Privacy Policy for more information.

Then take a look at these properties for a Service Account Key:

Service Account Key

The property fields below are required only if your AuthenticationType value is ServiceAccountKey.

  • HasDomainWideAccess - If checked, the activity grants domain-wide access to the service account.
  • KeyPath - The path to the service account key file. This property supports String variables and string formatted values. The creation of a service account on the Google Cloud Platform generates a key file for download.
  • KeyType - A drop-down list that specifies the service account type according to the key file.The available property values are JSON or P12. For a P12 service account type, the Password and ServiceAccountEmail properties are required.
  • Password - The password for the service account. This property supports String variables and string formatted values and is required only if your KeyType value is P12.
  • ServiceAccountEmail - The auto-generated email address for the service account. This property supports String variables and string formatted values and is required only if your KeyType value is P12.
  • UserEmail - If HasDomainWideAccess is checked, the service account impersonates a user from the domain; use this field to enter the impersonated user’s email address.

@marian.platonov Thank you somuch. While creating Service Account what is the role and permission has to be enabled for accessing gmail accounts?

1 Like

@marian.platonov
Get Mail Messages: Error:“unauthorized_client”, Description:“Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.”, Uri:“”

please comment on this

“client is unauthorized to retrieve access tokens using this method”.

Means exactly that. The client you have set up on Google developer console is either not a service account client or the code you are using is not meant for a service account client.

Make sure that the client you created on the google developer console is a service account client.

Make sure that you enabled the Gmail API in your project.

There are a couple of things you need to keep in mind:

  • Service Account can not be used with Gmail account, only with Gsuite (the paid Google services). This is because you need to “Delegate domain-wide access” in order for the Service Account to work, and this is not possible in Gmail.

  • If using GSuite you should follow the steps below:

  1. Enable Gmail API (only follow “enable APIs” from here, not “create credentials”. That will be explained more clearly in links 2 and 3.) https://docs.uipath.com/activities/docs/about-google-gsuite-activities#enable-apis

  2. Create Service Account (and download JSON keyfile) Using OAuth 2.0 for Server to Server Applications | Google Identity

  3. Enable Domain Wide Delegation for the Service Account, copy the Client ID
    image
    and
    image

  4. Ask your Gsuite admin to allow the Domain Wide Delegation (send him the Client ID). It took me a while to find out that you have to enable Domain Wide Delegation both on your own end, as well as on the Admin side. Uso de OAuth 2.0 para aplicaciones de servidor a servidor

  5. I think this is it, but I vaguely remember having to set up the Oauth consent screen in GCP as well. If you have to configure the consent screen, just put Application Type = public, make up a name, and put your e-mail as Support Email. The consent screen won’t be shown, as you’re using a Service Account which is pre-authenticated.

Reference: GSuite - Gmail Activity Unauthorized client error - #30 by Jeroen

Please let me know if this was of any help, and if you managed to get through.

1 Like

@marian.platonov Thank you somuch. That really helps!!
So to conclude my understanding, Inorder to access any Gmail account using ServiceAccount in Gsuite we should make sure the Service account created has been provided with certain permissions by admin
1)Gmail API Enable
2)Enable Domain Wide Delegation on both ends(Admin and in Gsuite Activity “Has Domainwide Access=True”)

Thanks,
Kiruthika

1 Like

Hi @marian.platonov One More Question
I am able to read Google spreadsheet using the same service Account. I am not able to make it work for the “Get Mail Message” Activity. Is that something i am missing out? or is it due to permissions missing on “delegation and GMail API”.
Please Advise

Thanks,
Kiruthika

For Google Drive, Excel it will work, but for email, it will not work due to not Enabling Domain Wide Delegation for the Service Account and configuring it.

You may reconsider other approaches for Gmail automation without GSuite in this case.

@marian.platonov Thank you very much!! That helps a lot!!

Hi @marian.platonov
Is it possible to use app script via Service account key Authentication ?

I came across this context


where it says “AppScript API doesnot work with Service Accounts”
Please advise