I'm writing a Ruby app that accesses the Google Analytics API to pull down some experiment information.

The app connects and authenticates using a Google Service Account via the following function:

def connect
  ...
  @@client = Google::APIClient.new(:application_name => 'My Service App', 
                                    :application_version => '1.0.0')
  key_file = Rails.root.join('config', 'privatekey.p12').to_s
  key_secret = 'somesecret'
  key = Google::APIClient::PKCS12.load_key(key_file, key_secret)
  asserter = Google::APIClient::JWTAsserter.new(
    SECRETS[:google_service_account_email],
    ['https://www.googleapis.com/auth/yt-analytics.readonly',
     'https://www.googleapis.com/auth/analytics.readonly'
    ],
    key
  )
  @@client.authorization = asserter.authorize()
  ...
end

...which authenticates and discovers both APIs without issue.

Using the client against the YouTube Analytics API works without issue. Using the same exact account to access the Analytics API via...

response = @@client.execute({
  # 'analytics is the API object retrieved via discover_api()
  :api_method => analytics.management.experiments.list, 
  :parameters => {
    'accountId' => 'AAAAAAAA',
    'profileId' => 'PPPPPPPP',
    'webPropertyId' => 'UA-WWWWWWWW-#'
  }
})

Results in a 403 error response:

{"domain":"global","reason":"insufficientPermissions","message":"User does not have sufficient permissions for this account."}

In regards to authorization, I have double-checked the account service@myapp.com:

• Has full permissions to the Google Analytics web interface. I logged in using the service@myapp.com account and was able to view the same Experiments I attempted to list.
• Has enabled the Analytics API. Within the API Console, I confirmed in the Services section that the Analytics API item is switch to ON. (Just like YouTube Analytics is.)
• I am using the appropriate AccountID, ProfileID, and WebPropertyID values. Copied directly from the Google Analytics web interface.

Given that the service account can access at least one API (YouTube Analytics), and the associated account (service@myapp.com) can access the Analytics web interface, there seems to be something wrong with the service account accessing the Analytics API in particular.

Any ideas?

Similar topics:

• “Not sufficient permissions” google analytics API service account (NOTE: This error is slightly different than mine)
• Analytics blog post, check comments section for 'permissions'

Make sure you give the service account email (something like 1234567890@developer.gserviceaccount.com) permissions to read/write from your GA view.

Admin > View > User Management > "Add permissions for:"

Pick the right id!

In my case I was using the right credentials (account id, account secret -> authorization_code -> access_token) AND had the email permissions set up right but I was using the account id on the Admin > Account settings page and simply adding ga: to the front.

The id you actually need is the table id! (or that's the one that worked for me at least since most people here are mentioning the account id, which didn't work for me.). You can find that one here: https://ga-dev-tools.appspot.com/account-explorer/

And then you can query as

service.get_ga_data(TABLE_ID,'2017-03-25','2017-03-25','ga:users,ga:pageviews')

I found this API to be badly documented overall and the UI was unclear. But maybe that's just me.

If you still see this message after you added your developer email to analytic user.

You may need to add scope to the object, before new Google_Service_Analytics($client);

$client->setScopes("https://www.googleapis.com/auth/plus.login");

I spent whole day trying to solve this!

Make sure your are entering the correct table_id

(ie. GetProfiles(oauth_token)
tableid_input = "ga:72848696")

I also had to go to the developer console and enable the API in order to make it work. Go to the developer console and select your project and enable the API(s) you want to use.

Even after adding the email to the account level in analytics I still had the same permission problem but the following suggestion helped but didn't solve it:

$client->setScopes("https://www.googleapis.com/auth/plus.login");

That didn't work for me but this did:

$client->setScopes("https://www.googleapis.com/auth/analytics");

https:// is now required to authenticate.

If you are new just to let you know 3 Step procedure required

1. Enable Google Analytics Reporting API then create service email account (OAuth Client ID)
2. Add and give permission this service email in google console
3. Add and give permission this service email account in Google analytics tracking -> User management

If someone has more view he should use the view ID.