FYI - I ended up getting that working.

Yes, I followed all of the steps to create the service account and 
authorize it for our Google Apps Domain. That isn't the issue.

All of the sample code and examples for using the Service Account fail to 
show where or how to set the ServiceAccountUser on the GoogleCredential 
returned from OfflineCredentials Builder.

Simply specifying the location of the JSON file in the file 
only gets you so far. You can receive an accessToken on the 
GoogleCredential created with the OfflineCredentials Builder, but I could 
not set the serviceAccountUser as that appears to be required at build 
time. It would be ideal to have a property for this user in the file, or allow for setting this in the OfflineCredentials 
Builder object.

You are correct that there are a lot of ways to configure impersonation and 
I managed to dig into the code and replicate my own builder that pulled 
from the ServiceAccount JSON file and allows for specifying the 
ServiceAccount user, but I'm not sure why OfflineCredentials and the 
Adwords Java library doesn't support this. Again, it looks like some of the 
other SDKs do support specifying the service account user in a property. 
(e.g. Ruby's YAML "ouath2_prn")

Something like this would be a great addition to the next release of the 
Java SDK.

Credential oAuth2Credential = new OfflineCredentials.Builder()

Thanks for the reply!


On Monday, August 7, 2017 at 11:14:25 PM UTC-7, Peter Oliquino wrote:
> Hi John, 
> Could you provide the following details? 
>    - Do you have a Google Apps Domain? To use service accounts with 
>    AdWords, a Google Apps Domain is required (as mentioned on the wiki 
>    page for service accounts 
> <>
>    ).
>    - Have you been granted access to the G Suite (former Google Apps) 
>    account that you have? 
> Depending on the library you use, impersonation can be configured 
> differently. If you are working with a single user I suggest using installed 
> application 
> <>.
> With installed application flow you need to authorize each Google account 
> individually. So, you'd need to have each of these users go through the 
> authorization flow and then manage a separate access/refresh token per 
> email address. The authorization step (browser step) for installed 
> application is needed only once and can be done outside of your production 
> environment. All you need is the refresh token which can be cached and 
> deployed with your app. Please see this document 
> <>
>  for 
> more information on setting up authentication. 
> Best regards,
> Peter 
> AdWords API Team.

Also find us on our blog and Google+:

You received this message because you are subscribed to the Google
Groups "AdWords API Forum" group.
To post to this group, send email to
To unsubscribe from this group, send email to
For more options, visit this group at
You received this message because you are subscribed to the Google Groups 
"AdWords API Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
Visit this group at
To view this discussion on the web visit
For more options, visit

Reply via email to