I am trying to call watch() on a mailbox. I set up a service Iam account, and created a topic and suscription. I gave my service account full(owner) rights to my topic and subscription. But when calling execute on watch(), I get the error:

Google.Apis.Requests.RequestError Error sending test message to Cloud PubSub projects/projectid/topics/topicname : User not authorized to perform this action. [403] Errors [ Message[Error sending test message to Cloud PubSub projects/projectid/topics/topicname : User not authorized to perform this action.] Location[ - ] Reason[forbidden] Domain[global] ]

Here is the code I use to set up my service:

 credential = new X509Certificate2("file.p12"), "password", X509KeyStorageFlags.Exportable);
var service = new GmailService(new BaseClientService.Initializer()
        {
            HttpClientInitializer = credential,
            ApplicationName = applicationame,
        });


WatchRequest body = new WatchRequest()
    {
        TopicName = "projects/projectid/topics/topicname",
        LabelIds = new[] {"INBOX"}
string userId = "me";
UsersResource.WatchRequest watchRequest = service.Users.Watch(body, userId);
WatchResponse test = watchRequest.Execute();

My service account has access to all the following scopes:

https://mail.google.com/
https://www.googleapis.com/auth/gmail.modify
https://www.googleapis.com/auth/gmail.readonly
https://www.googleapis.com/auth/gmail.metadata

Am I missing something here?

EDIT

Added the following scope, but still not success: https://www.googleapis.com/auth/pubsub

EDIT Also added the following with no success: https://www.googleapis.com/auth/cloud-platform

I did not give the service account that gmail uses to publish updates to Pub/Sub permission to publish to the topic (TopicName): serviceAccount:gmail-api-push@system.gserviceaccount.com I gave this account permission in the console.

You need to remember that a service account is not you. A service account is a dummy user which has a google drive account a google calendar account and probably a bunch more. However it does not have a gmail account.

Service accounts are preauthorized. You need to grant the service account access to read the users email.

userId's needs to be the id of the user whos emails you wish to access. 'Me' wont work because a serveries account doesn't have a gmail account it has no emails to read.

Just need the scopes:

https://www.googleapis.com/auth/gmail.modify https://www.googleapis.com/auth/pubsub

In the Cloud Pub/Sub Developer Console you need to grant publish privileges to serviceAccount:gmail-api-push@system.gserviceaccount.com