Suddenly getting googleapi: Error 401: Invalid Credentials, authError

Does this seem to mirror your setup?

[TEST]
type = drive
scope = drive
use_trash = false
client_id = clientid.apps.googleusercontent.com
client_secret = clientsecret
chunk_size = 1024M
impersonate = felix@joe.us
root_folder_id = myonefolderrootidinmygoogledrive
service_account_file = /opt/rclone/service.json
team_drive =

[TESTC]
type = crypt
remote = TEST:crypt
filename_encryption = standard
password = password
password2 = password
directory_name_encryption = true

I have a folder in my drive called crypt which is in a folder called test. I use that 'crypt' folder's rootID:

I ran through a few syncs and deleted files and I can see they move server side:

felix@gemini:~$ rclone sync /home/felix/test TESTC:/last_snapshot --backup-dir TESTC:/archive/20211105 -vv
2021/11/02 07:57:13 DEBUG : Setting --config "/opt/rclone/rclone.conf" from environment variable RCLONE_CONFIG="/opt/rclone/rclone.conf"
2021/11/02 07:57:13 DEBUG : Setting --user-agent "animosityapp" from environment variable RCLONE_USER_AGENT="animosityapp"
2021/11/02 07:57:13 DEBUG : Setting --rc-user "felix" from environment variable RCLONE_RC_USER="felix"
2021/11/02 07:57:13 DEBUG : Setting --rc-pass "felix" from environment variable RCLONE_RC_PASS="felix"
2021/11/02 07:57:13 DEBUG : Setting default for drive-pacer-min-sleep="10ms" from environment variable RCLONE_DRIVE_PACER_MIN_SLEEP
2021/11/02 07:57:13 DEBUG : Setting default for drive-pacer-burst="1000" from environment variable RCLONE_DRIVE_PACER_BURST
2021/11/02 07:57:13 DEBUG : rclone: Version "v1.57.0" starting with parameters ["rclone" "sync" "/home/felix/test" "TESTC:/last_snapshot" "--backup-dir" "TESTC:/archive/20211105" "-vv"]
2021/11/02 07:57:13 DEBUG : Creating backend with remote "/home/felix/test"
2021/11/02 07:57:13 DEBUG : Using config file from "/opt/rclone/rclone.conf"
2021/11/02 07:57:13 DEBUG : Creating backend with remote "TESTC:/last_snapshot"
2021/11/02 07:57:13 DEBUG : Creating backend with remote "TEST:crypt/lrak4favmei0j55g20imrj7it4"
2021/11/02 07:57:13 DEBUG : Setting drive_pacer_min_sleep="10ms" from environment variable RCLONE_DRIVE_PACER_MIN_SLEEP
2021/11/02 07:57:13 DEBUG : Setting drive_pacer_burst="1000" from environment variable RCLONE_DRIVE_PACER_BURST
2021/11/02 07:57:13 DEBUG : TEST: detected overridden config - adding "{TKSWb}" suffix to name
2021/11/02 07:57:13 DEBUG : Setting drive_pacer_min_sleep="10ms" from environment variable RCLONE_DRIVE_PACER_MIN_SLEEP
2021/11/02 07:57:13 DEBUG : Setting drive_pacer_burst="1000" from environment variable RCLONE_DRIVE_PACER_BURST
2021/11/02 07:57:14 DEBUG : fs cache: renaming cache item "TEST:crypt/lrak4favmei0j55g20imrj7it4" to be canonical "TEST{TKSWb}:crypt/lrak4favmei0j55g20imrj7it4"
2021/11/02 07:57:14 DEBUG : fs cache: switching user supplied name "TEST:crypt/lrak4favmei0j55g20imrj7it4" for canonical name "TEST{TKSWb}:crypt/lrak4favmei0j55g20imrj7it4"
2021/11/02 07:57:14 DEBUG : Creating backend with remote "TESTC:/archive/20211105"
2021/11/02 07:57:14 DEBUG : Creating backend with remote "TEST:crypt/s9g4p1ep8mu3hgstqj76c911c4/f6pam00n460kqhi1gp0r79o004"
2021/11/02 07:57:14 DEBUG : Setting drive_pacer_min_sleep="10ms" from environment variable RCLONE_DRIVE_PACER_MIN_SLEEP
2021/11/02 07:57:14 DEBUG : Setting drive_pacer_burst="1000" from environment variable RCLONE_DRIVE_PACER_BURST
2021/11/02 07:57:14 DEBUG : TEST: detected overridden config - adding "{TKSWb}" suffix to name
2021/11/02 07:57:14 DEBUG : Setting drive_pacer_min_sleep="10ms" from environment variable RCLONE_DRIVE_PACER_MIN_SLEEP
2021/11/02 07:57:14 DEBUG : Setting drive_pacer_burst="1000" from environment variable RCLONE_DRIVE_PACER_BURST
2021/11/02 07:57:15 DEBUG : fs cache: renaming cache item "TEST:crypt/s9g4p1ep8mu3hgstqj76c911c4/f6pam00n460kqhi1gp0r79o004" to be canonical "TEST{TKSWb}:crypt/s9g4p1ep8mu3hgstqj76c911c4/f6pam00n460kqhi1gp0r79o004"
2021/11/02 07:57:15 DEBUG : fs cache: switching user supplied name "TEST:crypt/s9g4p1ep8mu3hgstqj76c911c4/f6pam00n460kqhi1gp0r79o004" for canonical name "TEST{TKSWb}:crypt/s9g4p1ep8mu3hgstqj76c911c4/f6pam00n460kqhi1gp0r79o004"
2021/11/02 07:57:15 DEBUG : Encrypted drive 'TESTC:/last_snapshot': Waiting for checks to finish
2021/11/02 07:57:15 DEBUG : one: Size and modification time the same (differ by -285.481µs, within tolerance 1ms)
2021/11/02 07:57:15 DEBUG : one: Unchanged skipping
2021/11/02 07:57:15 DEBUG : two: Size and modification time the same (differ by -320.042µs, within tolerance 1ms)
2021/11/02 07:57:15 DEBUG : two: Unchanged skipping
2021/11/02 07:57:15 DEBUG : Encrypted drive 'TESTC:/last_snapshot': Waiting for transfers to finish
2021/11/02 07:57:15 DEBUG : Waiting for deletions to finish
2021/11/02 07:57:16 INFO  : four: Moved (server-side)
2021/11/02 07:57:16 INFO  : four: Moved into backup dir
2021/11/02 07:57:17 INFO  : three: Moved (server-side)
2021/11/02 07:57:17 INFO  : three: Moved into backup dir
2021/11/02 07:57:17 INFO  : There was nothing to transfer
2021/11/02 07:57:17 INFO  :
Transferred:   	          0 B / 0 B, -, 0 B/s, ETA -
Checks:                 6 / 6, 100%
Deleted:                2 (files), 0 (dirs)
Renamed:                2
Elapsed time:         3.4s

2021/11/02 07:57:17 DEBUG : 12 go routines active

and my backup dirs I tested with have some files:

felix@gemini:~$ rclone ls TESTC:
        0 last_snapshot/two
        0 last_snapshot/one
      165 archive/20211103/blah
1504953150 archive/20211104/Copy of jellyfish-400-mbps-4k-uhd-hevc-10bit.mkv
      165 archive/20211104/hosts
        0 archive/20211105/four
        0 archive/20211105/three

I just want to make sure I translated what you had on my side for testing as everything I've done works.

The last piece is translating your permissions that you made as my service account has full blown rights.

Is your Drive a GSuite or a personal account? You granted permissions not by allowing site wide delegation on the GSuite side?

Can you also test with disabling server side moves?

 --disable copy

I feel pretty good your root ID isn't the issue but something along permissions.

Thanks for testing this. And yes, that's identical as far as I can see.

Other than that, I've created service accounts, added them to a group, and given the group access to the directory. I also have given the SA accounts Domain-wide Delegation to the Google Drive API (this to be able to impersonate on a users directory).

It's a GSuite (or Workspaces), and I'm the admin.

I've just tested with a brand new service account, but that gives the same errors.

What throws me off is that my account seems to have the correct permissions. It can both read and write without issues. So most of it works, but it's just halting on moving files to the backup drive afaik.

Also – the only thing I have changed on my end (rclone wise) is upgrading and changing the tps-limit against dropbox.

I'm also thinking permissions, maybe regarding something very specific. I have not made any changes to the permissions. Could Google have changed something (but then again, you should think other users would experience something similar).

I'll give it a go with --disable copy

If they have domain wide delegation, what's the purpose of sharing and adding them to a group? Does that stop access to something?

It's to be able to impersonate my main user in that user's directory, making all files owned by the main user.

I didn't do that and when I had files move, I see:

image

Which looks like everything is owned properly on the few files I sampled. Did you see something else prior to doing that?

Yes, as far as I can remember. It's been a while now.

When I first set it up (transferring multiple TB from a local server) – the files were owned by the individual service account, which in turn messed up when you wanted to manipulate (i.e delete) files later on via a different user/service account.

This was not an issue using Team Drives, but was an issue using a regular users drive (where I had to put it due to the file limit on Team Drives).

The only way to get around that, was to give domain-wide delegation (I got the info from this post).

EDIT:
Just to make sure again, I did a test:

Config (just using non-crypt, does not matter):

[gdrive-sa2]
type = drive
client_id = <clientid>
client_secret = <clientsecret>
impersonate = user@domain.tld
scope = drive
root_folder_id = <folder id>
service_account_file = /home/<removed>/rclone/sa/rc05.json

Running with a newly created service account:

➜  rclone rclone lsd gdrive-sa2: -vv
2021/11/02 13:56:10 DEBUG : rclone: Version "v1.57.0" starting with parameters ["rclone" "lsd" "gdrive-sa2:" "-vv"]
2021/11/02 13:56:10 DEBUG : Creating backend with remote "gdrive-sa2:"                                                            2021/11/02 13:56:10 DEBUG : Using config file from "/home/<user>/.config/rclone/rclone.conf"                                        2021/11/02 13:56:11 ERROR : : error listing: couldn't list directory: Get "https://www.googleapis.com/drive/v3/files?alt=json&fields=files%28id%2Cname%2Csize%2Cmd5Checksum%2Ctrashed%2CexplicitlyTrashed%2CmodifiedTime%2CcreatedTime%2CmimeType%2Cparents%2CwebViewLink%2CshortcutDetails%2CexportLinks%29%2CnextPageToken%2CincompleteSearch&includeItemsFromAllDrives=true&pageSize=1000&prettyPrint=false&q=trashed%3Dfalse+and+%28%271odGMeeHbKre4D8-O65Z-UDOwEyAokilI%27+in+parents%29&supportsAllDrives=true": oauth2: cannot fetch token: 401 Unauthorized
Response: {                                                                                                                         "error": "unauthorized_client",
  "error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of th
e scopes requested."
}
2021/11/02 13:56:11 DEBUG : 4 go routines active
2021/11/02 13:56:11 Failed to lsd with 2 errors: last error was: couldn't list directory: Get "https://www.googleapis.com/drive/v3
/files?alt=json&fields=files%28id%2Cname%2Csize%2Cmd5Checksum%2Ctrashed%2CexplicitlyTrashed%2CmodifiedTime%2CcreatedTime%2CmimeType%2Cparents%2CwebViewLink%2CshortcutDetails%2CexportLinks%29%2CnextPageToken%2CincompleteSearch&includeItemsFromAllDrives=true&pageSize=1000&prettyPrint=false&q=trashed%3Dfalse+and+%28%271odGMeeHbKre4D8-O65Z-UDOwEyAokilI%27+in+parents%29&supportsAllDrives=true": oauth2: cannot fetch token: 401 Unauthorized                                                                                   Response: {
  "error": "unauthorized_client",
  "error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."                                                                                                              }

Running with new service account given domain-wide delegation to the google drive API:

➜  rclone rclone lsd gdrive-sa2: -vv
2021/11/02 13:56:54 DEBUG : rclone: Version "v1.57.0" starting with parameters ["rclone" "lsd" "gdrive-sa2:" "-vv"]
2021/11/02 13:56:54 DEBUG : Creating backend with remote "gdrive-sa2:"
2021/11/02 13:56:54 DEBUG : Using config file from "/home/<user>/.config/rclone/rclone.conf"
2021/11/02 13:56:54 ERROR : : error listing: couldn't list directory: Get "https://www.googleapis.com/drive/v3/files?alt=json&fields=files%28id%2Cname%2Csize%2Cmd5Checksum%2Ctrashed%2CexplicitlyTrashed%2CmodifiedTime%2CcreatedTime%2CmimeType%2Cparents%2CwebVie
wLink%2CshortcutDetails%2CexportLinks29%2CnextPageToken%2CincompleteSearch&includeItemsFromAllDrives=true&pageSize=1000&prettyPrint=false&q=trashed%3Dfalse+and+%28%271odGMeeHbKre4D8-O65Z-UDOwEyAokilI%27+in+parents%29&supportsAllDrives=true": oauth2: cannot fetch token: 401 Unauthorized
Response: {
  "error": "unauthorized_client",
  "error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}
2021/11/02 13:56:54 DEBUG : 4 go routines active
2021/11/02 13:56:54 Failed to lsd with 2 errors: last error was: couldn't list directory: Get "https://www.googleapis.com/drive/v3
/files?alt=json&fields=files%28id%2Cname%2Csize%2Cmd5Checksum%2Ctrashed%2CexplicitlyTrashed%2CmodifiedTime%2CcreatedTime%2CmimeType%2Cparents%2CwebViewLink%2CshortcutDetails%2CexportLinks%29%2CnextPageToken%2CincompleteSearch&includeItemsFromAllDrives=true&pageSize=1000&prettyPrint=false&q=trashed%3Dfalse+and+%28%271odGMeeHbKre4D8-O65Z-UDOwEyAokilI%27+in+parents%29&supportsAllDrives=true": oauth2: cannot fetch token: 401 Unauthorized
Response: {
  "error": "unauthorized_client",
  "error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}

Running SA with domain-wide delegation, and added to the group (that is added to the directory):

➜  rclone rclone lsd gdrive-sa2: -vv
2021/11/02 13:57:39 DEBUG : rclone: Version "v1.57.0" starting with parameters ["rclone" "lsd" "gdrive-sa2:" "-vv"]
2021/11/02 13:57:39 DEBUG : Creating backend with remote "gdrive-sa2:"
2021/11/02 13:57:39 DEBUG : Using config file from "/home/<user>/.config/rclone/rclone.conf"
          -1 2021-11-01 13:23:55        -1 bio0l83s1stlol81sgujc8lhn2ig
          -1 2018-03-25 01:02:32        -1 d4g7fbatdddhi2k49f7b59alv9t8
          -1 2018-04-30 13:21:42        -1 erqd5fvaus2135q91v162n2gp3sfs
          -1 2020-10-06 10:36:47        -1 l9qr7vlm2ivssehc0cbnqi22q1r4
2021/11/02 13:57:39 DEBUG : 6 go routines active

So afaik, all steps are needed.

Do you have a token line in there?

My test rclone.conf as token is for a service account setup:

[TEST]
type = drive
scope = drive
use_trash = false
client_id = clientid.apps.googleusercontent.com
client_secret = secret
impersonate = felix@joe.us
service_account_file = /opt/rclone/service.json
chunk_size = 1024M
root_folder_id = 1eNNNZIXQcC_SHp7Nr2D2BMiWLhQG69Cf

My mistake, It's not needed. It's "a leftover" from when I copied and started using service accounts. The token is not used, it has not been updated since 2020 (as expected).

When removed, do you get the same results?

I am not using any groups at all and my service account works.

You seem to have something unique going on.

Yes, works fine. It's not used.

But you did have to give the SA access to the directory, or no?

From my reading, changing the root ID doesn't require any permissions as it's a logical change.

You've already given SA wide delegation so that account has full access to everything.

I have a test folder I made and use that root ID in my rclone.conf above:

image

and the rlcone command:

image

Works fine with that a different root ID. Adding the root ID to the rcloneconf at the actual root just saves a bit of time as it fetches the root ID first and saves it. You can override the root location as you've done but none of that should impact any access as you already have full access domain wide.

As far as I understand, it's not the root ID that is the issue, it's the impersonation.

Running with the impersonation commented out it gives:
Config:

[gdrive-sa2]
type = drive
client_id = <clientid>
client_secret = <clientsecret>
#impersonate = user@domain.tld
scope = drive
root_folder_id = <folder id>
service_account_file = /home/<removed>/rclone/sa/rc05.json
➜  rclone rclone lsd gdrive-sa2: -vv
2021/11/02 13:55:35 DEBUG : rclone: Version "v1.57.0" starting with parameters ["rclone" "lsd" "gdrive-sa2:" "-vv"]
2021/11/02 13:55:35 DEBUG : Creating backend with remote "gdrive-sa2:"
2021/11/02 13:55:35 DEBUG : Using config file from "/home/<removed>/.config/rclone/rclone.conf"
2021/11/02 13:55:35 DEBUG : 6 go routines active

No errors, but it does not see any files.

Right. If you don't impersonate, you won't see anything as that's the delegation in play:

felix@gemini:/opt/rclone$ rclone ls TEST: --drive-impersonate felix@joe.us
      165 hosts
felix@gemini:/opt/rclone$ rclone ls TEST:
felix@gemini:/opt/rclone$

If I give the SA access via sharing the directory to the group or individual SA account, I can list, upload, and whatever, but the owner of the file is the SA account.

Ok, I think I got it now.

My issue was I was using existing files which were server side copying and I got the original owner permissions which was 'me' and not the service account.

If I cleaned out everything, I can make a new file (fresh copy) and that shows the service account owner:

image

When you share that folder, what email are you putting in there?

I share it with the group email I have for the service accounts. It's an easy way to have access control, you just add the group e-mail, and can administer the access from the group settings (instead of adding x-numbers of email – also easier to remember).

(This is a non issue for me, since this is a more "set'n'forget" type of deal.)

Group screenshot:

Sharing:

What's the purpose / goal of the service accounts in your setup and not just using your regular account?

In the beginning, it was to move data faster, I could switch between them and get it up and running sooner. I needed to do it as fast as possible in a downtime period.

Now it's just a way to keep it separated from my main account. It does not matter that much, but if my user is removed sometime in the future (changing jobs, etc.), etc. it's just easier that way.

Anyhow, I did try this with my main account (non service account), and I get the exact same error.

And in your OAUTH screen, I assume it's External not Internal?

If we can remove the service account, that's less complexity, can you share what you did to get the same error?