Replicated the error messages you were receiving just to be sure it was what I was thinking.
You haven't granted access to impersonate via the API to the service account you're using basically.
Impersoantion is a multi-step process, mainly covered in the guide, but might not be as concise....
-
Use current SA or make a new one
Project owner is not needed
DOMAIN-WIDE delegation IS needed -
In order to add domain-wide delegation now you have to make the service account, and then you have to re-enter it for editing
-
Up top click edit
-
Middle of the screen between " Service account status" and "Keys" you'll see "Show domain-wide delegation"
-
Make sure that this is enabled! gives your SA a client-id
{This is not the same as an OAUTH client-id} -
This "Client-id" is what you will then enter Here
[navigation steps below]
Go to SecuritySettings in the admin panel. Third tab/card/whatever from the bottom should be "Advanced Settings" - when you click that you'll see a link to Manage API client access
same as before, this is not the same as "APIs and Services"
-
In the first field enter that client-id you got once domain-wide-delegation was enabled.
Column label is " Authorized API clients"
Box label is "Client Name"
[disregard the "Example: www.example.com" part] -
In the second field You have the enter the scopes you want to allow. IDK why I use the ones I list, but it works so eh...
Box label is "One or More API Scopes"
PAY ATTENTION TO "(comma-delimited)" -
Scopes that I use most of the time (singleLine)
These will then refelct as:
https://www.googleapis.com/auth/admin.directory.domain
Calendar (Read-Write) https://www.googleapis.com/auth/calendar
https://www.googleapis.com/auth/drive