Hello,
I am having issues with the Gmail, send email activity under Gsuite. I am encountering this error:
I used service account key with service account role.
Hello,
I am having issues with the Gmail, send email activity under Gsuite. I am encountering this error:
I used service account key with service account role.
It seems like you are not properly authorized. I found this article on stack exchange that might help here.
There is a user there who states:
Service accounts only work with GSuite because you have to be able to preauthorize the service account and grant it access to the users account. There is no way to preauthorize a normal user Gmail account. So no you cant use a service account with a normal users gmail account.
Hi guys, indeed the only way you can use Gmail with a service account is if you check the UseDomainAdminAccess checkbox on the scope and impersonate a user by entering the userās email address in the User field.
However, this is not recommended in most cases. It should perhaps be used when you want to do a mass migrate so there are no users left on the domain and you just transfer their data.
In conclusion, you need to use OAuth2 Client Id to use Gmail.
Please make sure the setting in your gmail accounts is allowed or enable pop or imap setting.
Hi @loginerror
Followed the article on stack exchange, but still got Source: Read Range Error:āunauthorized_clientā, can you help me where is missing?
What I have done:
Input AuthenticationType: ServiceAccountKey Services: Gmail, Sheets
HasDomainWideAccess: checked
KeyPath: the same JSON file was used which was successfully āRead Rangeā when Sheets is the only Service.
UserEmail: āsamuel@mubie.comā (the admin of domain)
Client Name: Unique ID of Service account
One or More API Scopes: https://www.googleapis.com/auth/gmail / https://www.googleapis.com/auth/sheets
***Not sure whether this is the problem or notā¦On the Service account details page, there is a square box to be checked for Enable G Suite Domain-wide Delegation, but can not check
@MubieSam_Lin
As pointed out previously, to use ServiceAccount authentication with Gmail activities, you need to have Domain-wide Delegation active.
This is a feature that is available for enterprise applications and can be turned on by administrator of G Suite domains. This is not available for personal accounts.
If you are not in a G Suite domain or cannot get the necessary permission to use domain-wide delegation, then itās probably best to use a different authentication method, like OAuth2.
Thatās strange, UserEmail: āsamuel@mubie.comā (this is the admin of domain mubie.com in G Suite)
I was able to Authorize in Manage API client access, but where is missing?
According to your previous reply, the checkbox for āEnable G Suite Domain-wide Delegationā is disabled. If you manage to enable that, the activities should work as you expect.
that was the question, why I can not check that box, any suggestion where I should look intoā¦
That is a configuration done on G Suiteās side, so unfortunately I cannot help much with it.
According to google cloud platform - Why Domain Admin Cannot Enable Domain Wide Delegation for Service Accounts? - Server Fault, there can be different kinds of admin, so you might want to check whether your admin account has the necessary permissions.
Itās kind of frustration with all the confusionsā¦
Followed your suggestion, while trying to Perform G Suite Domain-Wide Delegation of Authority, it needs the Client ID, But Service account does not have Client ID, only āUnique IDā.
So this come back to the basic question, which Authentication type should we useā¦OAuthClientID or ServiceAccountKey ?
From previous replies, OAuthClientID is suggested, but how about this issue?
The OAuth Client ID method works with all GSuite services, however itās recommended for attended automation because user consent is required before the robot can access to your Google account.
Besides, while trying to Create Credentials OAuth2, What Application type should I choose? Authorized JavaScript origins? Authorized redirect URIs? and what should i put for user inArgurment ?
Your help is highly appreciated.
So this come back to the basic question, which Authentication type should we useā¦OAuthClientID or ServiceAccountKey ?
When you use Service Account, then the property AuthenticationType should be set to ServiceAccountKey: Activities - GSuite Application Scope
After you set up your Service Account, youāll be able to download the JSON file that act as the key: Authenticate for using client libraries | Authentication | Google Cloud
From previous replies, OAuthClientID is suggested, but how about this issue?
The OAuth Client ID method works with all GSuite services, however itās recommended for attended automation because user consent is required before the robot can access to your Google account.
Yes, when you use OAuth Client ID, the robot will use a userās account, so the user is prompted to allow that. But it can access any resource available to the user without further configuration necessary.
Besides, while trying to Create Credentials OAuth2, What Application type should I choose? Authorized JavaScript origins? Authorized redirect URIs? and what should i put for user inArgurment ?
For the application type, choose āOtherā.
I have created samples showing how use the three kinds of authentication, including detailed instructions on how to setup things on G Suite. Since I did it a few months ago, there might be a few differences, but it should be possible to get the main idea.
GSuiteActivitiesAPIKeySample.zip (3.5 KB)
GSuiteActivitiesOAuthSample.zip (11.2 KB)
GSuiteActivitiesServiceAccountSample.zip (11.4 KB)
@Mateus_Cruz Thanks for the samples, itās really helpful.
@Mateus_Cruz While following your sample for OAuth, there is an error for āNetworkCredentialā undefined.
Assign ClientSecret = new NetworkCredential(string.Empty, Password).Password
Can not find NetworkCredential in Variables in your sample, but there is no error in your sample, how come i will have this error ?
In the āImportsā tab (the one beside āArgumentsā), type System.Net
and add that namespace.
Got it, thanks
Hi @Mateus_Cruz
Got an error on the browser while trying to run the process on Studio, I had AssetName āGsuiteLoginā for the credentials on the Orchestrator. Any idea where Iām missing?
Error: invalid_client
The OAuth client was not found.
access_type=offline
response_type=code
client_id=ā3893xxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.comā
redirect_uri=http://127.0.0.1:54468/authorize/
scope=https://www.googleapis.com/auth/drive https://mail.google.com/ https://www.googleapis.com/auth/spreadsheets
Error message on Studio
19.7.0+Branch.master.Sha.8c253d13718eed5c7db27daef6facd1fe1b0d067
Source: GSuite Application Scope
Message: The client did not complete the token exchange after the default 60 seconds, and as a result the operation was canceled.
Exception Type: System.TimeoutException
RemoteException wrapping System.TimeoutException: The client did not complete the token exchange after the default 60 seconds, and as a result the operation was canceled.
at UiPath.GSuite.Activities.GSuiteApplicationScope.Execute(NativeActivityContext context)
at System.Activities.NativeActivity.InternalExecute(ActivityInstance instance, ActivityExecutor executor, BookmarkManager bookmarkManager)
at System.Activities.ActivityInstance.Execute(ActivityExecutor executor, BookmarkManager bookmarkManager)
at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor executor, BookmarkManager bookmarkManager, Location resultLocation)
Did you take more than 60 seconds to input your username and password?
The problem is the error on browser, it stopped the process, The OAuth client was not found.
But it should get the credentials from Asset on Orchestrator, right?
Hi @Mateus_Cruz
I used your sample with my asset of credentials, got the same error, any idea where I might be wrong?
Thanks