Alright, I found this information on Stack: You should write your code to anticipate the possibility that a granted token might no longer work. A token might stop working for one of these reasons: The user has revoked access. The token has not been used for six months. The user account has exceeded a certain number of token requests. There is currently a 25-token limit per Google user account. If a user account has 25 valid tokens, the next authentication request succeeds, but quietly invalidates the oldest outstanding token without any user-visible warning. (from developers.google.com/accounts/docs/OAuth2)
I didn't realize that once I authenticate for the first time, it'll practically keep me authenticated for as long as I need (within the above confinements). So, I was wrong... I guess I do not need impersonation. OAuth2 should work just fine. I just have one remaining questions: 1. This question, from two comments up: "So what are my options for linking all of this into a workspace? Do we need to restart from scratch? That would be quite troublesome." I'd still like to know the solution to this, as we may like to use the workspace for other reasons in the future. Are we stuck with the only option of restarting? On Friday, October 7, 2022 at 8:52:27 AM UTC-7 Chad Wood wrote: > Based on our conversion, it appears that I do have the domain specific > requirement of impersonation. > > Are we out of luck? > > On Friday, October 7, 2022 at 8:37:54 AM UTC-7 Chad Wood wrote: > >> Thanks Adsapi, >> >> I guess I am confused then. My company already established a Google Ads >> account using an @gmail email account. They weren't required to comply with >> workspace requirements when they created the Ads account. Same goes for >> GTM, GA4, and Firebase. Our presence on these platforms is already >> established -- using @gmail, mind you. >> >> So what are my options for linking all of this into a workspace? Do we >> need to restart from scratch? That would be quite troublesome. >> >> On Friday, October 7, 2022 at 4:35:26 AM UTC-7 adsapi wrote: >> >>> Hi Chad, >>> >>> >>> Thank you for getting back to us. I work with Peter and allow me to >>> assist you here. I hope you are doing well today. >>> >>> >>> Please see my response to your query below. >>> >>> >>> 1.) Alright, it's becoming more clear now. >>> >>> Correct me if I am wrong, but here's what I think is going on: >>> >>> * I created the service account for API use to Google Analytics 4, >>> and I just added the service account to the authorized users as view-only. >>> >>> * Google Ads REQUIRES that invitees accept the invitation via email. >>> This is impossible for a service account, therefore my service account can >>> not directly access Google Ads >>> >>> * To bypass this, I must impersonate my personal email with the >>> service account. Impersonation requires the service account to have Domain >>> Wide Delegation >>> >>> >>> >>> Okay, fair enough. I checked and we don't have the admin.google.com account >>> so that I can set up Domain Wide Delegation. >>> >>> Unless I am mistaken somehow. But I don't see any indication that we >>> have such an account. >>> >>> I take it that I will need to create this admin.google.com account with >>> an internal email, say goo...@mycompany.com. >>> >>> But then I assume I must manually add the *main email** and my *personal >>> email** to this new admin.google.com account, as workforce members or >>> something? >>> >>> ...and after that, I should be able to see the Service Account I created >>> in there? Then I can just give it Domain Wide Delegation? >>> >>> Is this all accurate? >>> >>> >>> - For this, Yes, I confirm that your understanding is correct. >>> However, you need to follow these Prerequisites >>> >>> <https://developers.google.com/google-ads/api/docs/oauth/service-accounts#prerequisites> >>> . >>> >>> >>> 2.)adding to my prior message: >>> >>> >>> Can I perform this task (Domain Wide Delegation) with the Essentials >>> Starter Edition of Workspace? >>> >>> >>> I just signed up for that version. But now I'm at a roadblock. The *main >>> email**, associated with our Ads account, Firebase, GA4, etc... is an >>> @gmail domain email. However, the workspace says I can only add users via >>> internal emails. >>> >>> >>> How do I now associate the existing accounts (all @gmail) with this >>> workspace so that I can utilize the Service Account to access Google Ads? >>> >>> >>> - I confirm that this is true that you can't use @gmail domain >>> email to use service account authentication. Having a workspace account >>> is >>> the requirement. >>> >>> >>> 3.) Well, I just got it working via OAUTH2. Like I said though, it won't >>> make sense for us to use this method long-term. The program will run >>> automatically every day, and while it may not take much effort to perform >>> this one little manual task every day -- Lots of little manual tasks add up >>> into intense workloads, eventually. >>> >>> >>> I'll use OAUTH2 for debugging, testing, building, etc for the time >>> being. Can someone help me figure out the issue above though? I still don't >>> understand how to use this new workspace if I can't add our Ads account >>> because it was made with an @gmail email. >>> >>> >>> - This is recommended to use authentication. We strongly recommend >>> using OAuth2 desktop app or web app flow >>> >>> <https://developers.google.com/google-ads/api/docs/oauth/cloud-project#choose_an_application_type> >>> instead >>> of service accounts *unless you need a domain-specific feature* (for >>> example, impersonation). OAuth2 desktop app and web app flows do require >>> an >>> initial user interaction for granting access to the account, but are >>> much >>> simpler to set up. For the OAuth2 desktop app flow >>> >>> <https://developers.google.com/google-ads/api/docs/oauth/cloud-project#desktop>, >>> >>> you can persist a refresh token (which never expires) to obtain a new >>> access token whenever necessary. When using one of our client >>> libraries >>> >>> <https://developers.google.com/google-ads/api/docs/oauth/client-library>, >>> you can authorize your app by filling out a configuration file. >>> >>> >>> Regards, >>> [image: Google Logo] >>> Darwin >>> Google Ads API Team >>> >>> >>> ref:_00D1U1174p._5004Q2ewsYl:ref >>> >> -- -- =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ Also find us on our blog: https://googleadsdeveloper.blogspot.com/ =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ You received this message because you are subscribed to the Google Groups "AdWords API and Google Ads API Forum" group. To post to this group, send email to adwords-api@googlegroups.com To unsubscribe from this group, send email to adwords-api+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/adwords-api?hl=en --- You received this message because you are subscribed to the Google Groups "Google Ads API and AdWords API Forum" group. To unsubscribe from this group and stop receiving emails from it, send an email to adwords-api+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/adwords-api/925d8a9c-6b72-4155-b858-53f07b154c26n%40googlegroups.com.
