Asked  7 Months ago    Answers:  5   Viewed   33 times

I'm trying to use a service account to create entries on a Google calendar. I'm really close on this, but the very last line won't work. I get a 500 Internal Service Error when I let this run. Otherwise, the program runs error free, for whatever that is worth.

The Calendar.php file contents can be found here. The insert() method that I am trying to call begins on line 1455 of that file.

<?php

function calendarize ($title, $desc, $ev_date, $cal_id) {

    session_start();

    /************************************************
    Make an API request authenticated with a service
    account.
    ************************************************/
    set_include_path( '../google-api-php-client/src/');

    require_once 'Google/Client.php';
    require_once 'Google/Service/Calendar.php';

    // (not real keys)
    $client_id = '843319906820-jarm3f5ctbtjj9b7lp5qdcqal54p1he6.apps.googleusercontent.com';
    $service_account_name = '843319906820-jarm3f5ctbtjj7b7lp5qdcqal54p1he6@developer.gserviceaccount.com';
    $key_file_location = '../google-api-php-client/calendar-249226a7a27a.p12';

//    echo pageHeader("Service Account Access");
    if (!strlen($service_account_name) || !strlen($key_file_location))
        echo missingServiceAccountDetailsWarning();

    $client = new Google_Client();
    $client->setApplicationName("xxxx Add Google Calendar Entries");

    if (isset($_SESSION['service_token'])) {
        $client->setAccessToken($_SESSION['service_token']);
    }

    $key = file_get_contents($key_file_location);
    $cred = new Google_Auth_AssertionCredentials(
        $service_account_name, 
        array('https://www.googleapis.com/auth/calendar'), 
        $key
    );
    $client->setAssertionCredentials($cred);
    if($client->getAuth()->isAccessTokenExpired()) {
        $client->getAuth()->refreshTokenWithAssertion($cred);
    }
    $_SESSION['service_token'] = $client->getAccessToken();

    // Prior to this, the code has mostly come from Google's example
    //     google-api-php-client / examples / service-account.php
    // and relates to getting the access tokens. 

    // The rest of this is about setting up the calendar entry.
    //Set the Event data
    $event = new Google_Service_Calendar_Event();
    $event->setSummary($title);
    $event->setDescription($desc);

    $start = new Google_Service_Calendar_EventDateTime();
    $start->setDate($ev_date);
    $event->setStart($start);

    $end = new Google_Service_Calendar_EventDateTime();
    $end->setDate($ev_date);     
    $event->setEnd($end);

    $calendarService = new Google_Service_Calendar($client);
    $calendarList = $calendarService->calendarList;

    $events = $calendarService->events;

    // if I leave this line, my code won't crash (but it won't do anything, either)
    //echo "here"; die(); 

    $events.insert($cal_id, $event, false);
} 

?>

 Answers

75

I figured this out. Since I don't see any complete examples of using service accounts with API v3, I'm just going to post my complete solution for reference. There are a few of things that you need to do in addition to implementing the code, however:

1) You need to go to the Google Developer's console and mark your account as a 'service account'. This will differentiate it from a web application. The important difference is that nobody will be prompted to log in to their account before the events are added since the account will belong to your application, not an end user. For more information see this article, starting on page 5.

2) You need to create a public/private key pair. From the developer's console, click on Credentials. Under you service account, click on 'Generate new P12 key'. You'll need to store this somewhere. That file location becomes the $key_file_location variable string in the code below.

3) Also from the developer's console, you need to enable the Calendar API. From your project, on the left margin you'll see APIs. Select that and find the Calendar API. Click it, accept the terms of service, and verify that it is now displayed under Enabled APIs with a status of On

4) In Google Calendar that you want to add events to, under settings, click Calendar Settings then on 'Share this Calendar' at the top. Under 'Share with specific people' in the 'Person' field, paste in the email address from the service account credentials. Change the permission settings to 'Make changes to events'. Don't forget to save the change.

Then, implement this code somewhere.

Comment if something is confusing or omitted. Good luck!

<?php

function calendarize ($title, $desc, $ev_date, $cal_id) {

    session_start();

    /************************************************
    Make an API request authenticated with a service
    account.
    ************************************************/
    set_include_path( '../google-api-php-client/src/');

    require_once 'Google/Client.php';
    require_once 'Google/Service/Calendar.php';

    //obviously, insert your own credentials from the service account in the Google Developer's console
    $client_id = '843319906820-xxxxxxxxxxxxxxxxxxxdcqal54p1he6.apps.googleusercontent.com';
    $service_account_name = '843319906820-xxxxxxxxxxxxxxxxxxxdcqal54p1he6@developer.gserviceaccount.com';
    $key_file_location = '../google-api-php-client/calendar-xxxxxxxxxxxx.p12';

    if (!strlen($service_account_name) || !strlen($key_file_location))
        echo missingServiceAccountDetailsWarning();

    $client = new Google_Client();
    $client->setApplicationName("Whatever the name of your app is");

    if (isset($_SESSION['service_token'])) {
        $client->setAccessToken($_SESSION['service_token']);
    }

    $key = file_get_contents($key_file_location);
    $cred = new Google_Auth_AssertionCredentials(
        $service_account_name, 
        array('https://www.googleapis.com/auth/calendar'), 
        $key
    );
    $client->setAssertionCredentials($cred);
    if($client->getAuth()->isAccessTokenExpired()) {
        $client->getAuth()->refreshTokenWithAssertion($cred);
    }
    $_SESSION['service_token'] = $client->getAccessToken();

    $calendarService = new Google_Service_Calendar($client);
    $calendarList = $calendarService->calendarList;

    //Set the Event data
    $event = new Google_Service_Calendar_Event();
    $event->setSummary($title);
    $event->setDescription($desc);

    $start = new Google_Service_Calendar_EventDateTime();
    $start->setDateTime($ev_date);
    $event->setStart($start);

    $end = new Google_Service_Calendar_EventDateTime();
    $end->setDateTime($ev_date);
    $event->setEnd($end);

    $createdEvent = $calendarService->events->insert($cal_id, $event);

    echo $createdEvent->getId();
} 

?>

Some helpful resources:
Github example for service accounts
Google Developers Console for inserting events in API v3
Using OAuth 2.0 to Access Google APIs

Wednesday, March 31, 2021
 
Niels
answered 7 Months ago
44

The root of the problem is that the service account is not an administrator on the domain, so it cannot access the Admin SDK Directory API. Instead, you need to enable domain-wide delegation for your service account, and then have the service account impersonate a domain admin when it makes the request:

$cred = new Google_Auth_AssertionCredentials(
    $service_account_name,
    $authArray,
    $key
);
$cred->sub = "admin@yourdomain.com";
Wednesday, June 9, 2021
 
Besnik
answered 5 Months ago
46

You will have to programmatically share the calendar created by the service account. The calendars are owned by the service account.

What you tried :

  • the calendars don't show up in your account because you have no right to access them, even though you are the appengine admin.
  • entering the e-mail address of the service account does not show up the calendar in the UI because the e-mail address of the service account is not the e-mail address of the calendar. One service account could create multiple calendars.

Share the calendar programmatically with your account, log the calendar unique id and then enter it in the UI.

Friday, July 16, 2021
 
EzzDev
answered 3 Months ago
58

I know that many people are facing the same problem like mine. So, this is the solution after days of search on google.

The code I proposed has only one error: the client id is like an email similar to 123456789-abcdebsbjf@developer.gserviceaccount.com

The second thing you have to do is to share the table you are quering in google fusion tables with the client id of the service account.

After that, thing will work perfectly.

I hope this would help other.

Saturday, August 14, 2021
 
mariaoialvarez
answered 2 Months ago
74

The service account does not have permission to call Directory APi for your G Suite instance. What it does have access to do is act as a user in your domain within the context of the Directory API scope(s) you granted it access to.

When getting service account credentials you need to add the sub=admin@yourdomain.com parameter so that you are acting as your domain admin, not the service account. See:

https://developers.google.com/identity/protocols/OAuth2ServiceAccount

And some code examples at:

https://developers.google.com/admin-sdk/directory/v1/guides/delegation

Saturday, August 28, 2021
 
user3082821
answered 2 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :