Trying to impersonate user with SA on Google Drive results in 401 "Client is unauthorized to retrieve access tokens..."

What is the problem you are having with rclone?

I have read the guide, double/triple checked but I am stuck. I created a service account with domain wide delegation, created the .json file with the SA details, and added the client_id for that account with scope of https://www.googleapis.com/auth/drive. I configured the remote, and I am able to connect with the service account without impersonation, but when I try to impersonate a user I get:

   Response: {
  "error": "unauthorized_client",
  "error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}

Is there anything that needs to be done to impersonate a user besides making sure that domain-wide delegation is set for the SA?

What is your rclone version (output from rclone version)

rclone v1.49.3
- os/arch: linux/amd64
- go version: go1.12.9

Which OS you are using and how many bits (eg Windows 7, 64 bit)

Linux / OpenMediaVault 4.1.17 (debian based)

Which cloud storage system are you using? (eg Google Drive)

Google Drive

The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone -v --drive-impersonate josh@empowerfunnels.com lsf gdrive:

A log from the command with the -vv flag (eg output from rclone -vv copy /tmp remote:tmp)

rclone -vv --drive-impersonate josh@empowerfunnels.com lsf gdrive:
2019/09/25 12:03:55 DEBUG : rclone: Version "v1.49.3" starting with parameters ["rclone" "-vv" "--drive-impersonate" "josh@empowerfunnels.com" "lsf" "gdrive:"]
2019/09/25 12:03:55 DEBUG : Using config file from "/root/.config/rclone/rclone.conf"
2019/09/25 12:03:55 ERROR : : error listing: couldn't list directory: Get https://www.googleapis.com/drive/v3/files?alt=json&fields=files%28id%2Cname%2Csize%2Cmd5Checksum%2Ctrashed%2CmodifiedTime%2CcreatedTime%2CmimeType%2Cparents%2CwebViewLink%29%2CnextPageToken&includeItemsFromAllDrives=true&pageSize=1000&prettyPrint=false&q=trashed%3Dfalse+and+%28%27root%27+in+parents%29&supportsAllDrives=true: oauth2: cannot fetch token: 401 Unauthorized
Response: {
  "error": "unauthorized_client",
  "error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}
2019/09/25 12:03:55 Failed to lsf with 2 errors: last error was: error in ListJSON: couldn't list directory: Get https://www.googleapis.com/drive/v3/files?alt=json&fields=files%28id%2Cname%2Csize%2Cmd5Checksum%2Ctrashed%2CmodifiedTime%2CcreatedTime%2CmimeType%2Cparents%2CwebViewLink%29%2CnextPageToken&includeItemsFromAllDrives=true&pageSize=1000&prettyPrint=false&q=trashed%3Dfalse+and+%28%27root%27+in+parents%29&supportsAllDrives=true: oauth2: cannot fetch token: 401 Unauthorized
Response: {
  "error": "unauthorized_client",
  "error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}

You user is part of the domain you set up the SA for right? I assume so, but just want to get that possibility out of the way...

What you are describing is as far as I know the correct way. I don't have a domain of my own so I haven't done this exact process myself - I am going from my understanding of the documentation.

Can we see your remote config please?
Just remember to redact any sensitive information in it.
One common config problem for SAs that I want to check is that people don't remove the Oauth part of the config and just use the SA as is intended (but perhaps is not so obvious). If you still have config lines related to Oauth in the config you may get unexpected results.

Thanks for your response. Yes this user is a user in the same domain. My rclone.conf is as follows:

 [gdrive]
 type = drive
 scope = drive
 service_account_file = /root/empower-misc-sa.json
 client_id =
 client_secret =
 use_trash = false

I'd probably delete those lines just to be safe. I don't THINK they actually do anything as long as they are empty, but it's worth checking.

Those lines were not there initially. I added after seeing other examples. Removed again... same result.

Meaning the client-id for the service-account right? Not the normal user.
Again, I'm assuming you did, but I don't see anything you obviously did wrong, so chances are there is some simple error somewhere.

Yes. On the Manage API Client Access screen, I added the client-id of the service-account with the drive scope.

Hmm, then I am at a bit of a loss of what to suggest. Hopefully someone else who owns a domain and has had the opportunity to do this process themselves can stop by and help. I think @darthShadow has experience with this if I recall correctly? ... (he will be notified by the forum of this mention)

I think I vaguely recall reading in some past conversation that some other user spoke about needing to authorize the app-id (ie. rclone) for the domain in some way. However I can't recall much detail and as second-hand information I can't substantiate at the moment I'd take that with a handful of salt.

Unfortunately, I have never used service accounts in the context of impersonating normal user accounts. My usage has been to use them as is for uploading.

I did try it locally and it seems to be working fine for me.

Thanks Darth!

So I guess that further points towards this being some kind of simple mistake somewhere. Wish I had some ideas on where to start double-checking...

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.