Damn I've seriously looked through 100 threads related to this and finally
found one that was helpful. The step I was missing was adding the
`client_id` from the JSON key to the 'authorized client' list in
admin.google.com, and also the `oauth2_prn` user to impersonate.
Now I have a new error though...
`AuthorizationError.USER_PERMISSION_DENIED`. Am I supposed to use the
global MCC account rather than my test MCC? (My dev token isnt approved
yet). If I use my master MCC email for `oauth2_prn` I get the above error,
but if I use my test MCC I made I get this error: `Client is unauthorized
to retrieve access tokens using this method.`
Here is how I have it set up again:
- **Production** Google developer console (domain-enabled service account
used for `oauth2_key`, `oauth2_issuer`)
- **Production** GSuite account (enable production service account access
- **Production** MCC account (API key used for `developer_token`)
- **Test** MCC account (email for `oauth2_prn`)
- **Test** client account (customer id for `client_customer_id`)
They key takeaway is all this was under the production account. The only
test stuff I created was MCC/client account (I didnt create a test google
developer console service or API access or anything like that)
Also find us on our blog and Google+:
You received this message because you are subscribed to the Google
Groups "AdWords API Forum" group.
To post to this group, send email to email@example.com
To unsubscribe from this group, send email to
For more options, visit this group at
You received this message because you are subscribed to the Google Groups
"AdWords API Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email
Visit this group at https://groups.google.com/group/adwords-api.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.