insufficient Permissions error facing also not abl...

akshay3863 · 07-07-2023 01:56 AM

Hello I am doing one task there I need to fetch my google analytic data into my node Js application. I have done the basic things currently I am having this issue

{
"code": 403,
"message": "User does not have sufficient permissions for this profile.",
"errors": [
{
"message": "User does not have sufficient permissions for this profile.",
"domain": "global",
"reason": "insufficientPermissions"
}
]
}

I have also check the permission is read/write but its still not working can you help me with the same

Using this way to fetch data

const GetViewsData = async (req, res) => {
try {
await jwtNew.authorize();

const response = await google.analytics("v3").data.ga.get({
auth: jwtNew,
ids: "ga:" + view_id,
'start-date': '30daysAgo',
'end-date': 'today',
'metrics': 'ga:pageviews'
});

res.json({
success: 1,
message: "success",
data: response,
});
} catch (err) {
res.json({
...err?.response?.data?.error,
});
}
};

also I have try to fetch VIEW ID using property ID but there I am also fasing issue

Thanks

ms4446

The error message "User does not have sufficient permissions for this profile" means that the service account you are using does not have the necessary permissions to access the Google Analytics data you are trying to fetch.

To fix this, you need to grant the service account the appropriate permissions. You can do this by following these steps:

Go to the Google Cloud Platform Console: https://console.cloud.google.com/.
Click the IAM & Admin tab.
Click the Service accounts tab.
Find the service account you are using and click the Edit button.
In the Permissions section, add the Google Analytics Admin role.
Click the Save button.

Once you have granted the service account the necessary permissions, you should be able to fetch the Google Analytics data without any errors.

If you are still having trouble, you can contact Google Cloud support for help.

As for the issue of not being able to find the View ID, you can use the following steps to find it:

Go to the Google Analytics website: https://analytics.google.com/.
Sign in to your account.
Click the Admin tab.
In the View section, find the View ID for the property you want to fetch data from.

The View ID is a 16-digit alphanumeric string that starts with "ga:". You can use this View ID in your code to fetch data from the specified Google Analytics property.

sonamwangdilep

In the Service Accounts tab, I can't find the Edit button and I tried managing the permission under actions->manage permission, I can't find the Google Analytics Admin role.
Can you please help me with that?

ms4446

The "Edit" button in the Service Accounts tab is only visible if you have the "Manage Users" permission for the account or property. If you don't have this permission, you won't be able to see the "Edit" button.

The "Google Analytics Admin" role is a special role that gives users full control over an Analytics account. This includes the ability to add and remove users, manage permissions, and view all data.

If you can't find the "Google Analytics Admin" role in the "Manage permissions" dialog, it's possible that you don't have this role. You can check your permissions by going to the "Access Management" tab in the Admin section of Analytics.

If you don't have the "Google Analytics Admin" role, you can request it from a user who does have this role. To do this, go to the "User Management" tab in the Admin section of Analytics and click on the "Request role" button.

Once you have the "Google Analytics Admin" role, you should be able to see the "Edit" button in the Service Accounts tab and manage the permissions for your service accounts.

aw131313

none of these answers match up to anything I'm seeing. My service account has all the permissions it needs and then some. From my PHP script, I can access analytics data for my old UA property. My GA property has all the same permissions granted to this particular service worker. Yet the same API call fails. error 403 not enough permissions. I don't know what other permissions there are.

I am the owner/editor/publisher/everything - I am the only person on this account. When I go to "IAM & Admin -> Service Accounts" and try to edit an account, the pencil/edit icon is grayed out - saying that these are controlled by a higher level. Not easy to find where those are - but I eventually do, and when I do, there is no such role called "Google Analytics Admin" ... there's Firebase Admin, Analytics Hub Admin, but not a role you described.

That said, it theoretically shouldn't matter since I've already given this service account all the highest access there is. Totally at a loss for what else to do.

ms4446

I understand you're encountering an error when trying to access the Google Analytics API. This can be frustrating, but there are several steps you can take to troubleshoot and potentially resolve the issue.

If you've already tried the usual solutions and are still facing the problem, I recommend the following:

Ensure you are using the correct service account and its associated JSON key.
Verify that you're working with the appropriate API version, especially considering the distinctions between Universal Analytics (UA) and Google Analytics 4 (GA4).
Double-check that your requests are directed to the correct API endpoint.
Consider testing with a different service account.
Confirm that your service account has the necessary permissions, both within the Google Cloud Platform and directly in your Google Analytics account.

plainlystated

I finally got it working, though not quite how ms4446 described. The key thing he/she said that helped me was to going into the Analytics console (not the GCP IAM page). I did that, and added my service account as a user (with admin rights), then I was able to use the service account's creds for API access to create a test property.

The role ms4446 mentioned never showed up in my IAM roles, so not sure how to make that work. But creating the service account through IAM then adding it to Google Analytics as a user worked for me.

ms4446

I'm glad to hear that you were able to get it working! It sounds like you were able to find a workaround for the issue with the IAM role not showing up. Adding your service account as a user with admin rights in the Analytics console is a perfectly valid way to grant the service account access to Google Analytics. This will allow the service account to create and manage properties, views, and other resources in Google Analytics.

Thank you for sharing your solution. It will be helpful for others who encounter similar challenges

aw131313

just so you guys both know - I already had the service account set up with access rights in analytics, and it still doesn't work.

ms4446

I'm sorry to hear that you're facing issues. Here are a few more troubleshooting steps:

Google Analytics 4 (GA4) vs. Universal Analytics (UA): If you're using Google Analytics 4 (GA4), be aware that it has a different API than Universal Analytics (UA). Ensure you're using the right API version for your property type.
Service Account Email: Double-check that you've added the service account's email address (usually in the format your-service-account@your-project-id.iam.gserviceaccount.com) to Google Analytics with the appropriate permissions.
API Permissions in GCP: In the Google Cloud Platform, ensure that the service account has the roles/bigquery.dataEditor and roles/bigquery.jobUser roles for BigQuery access and the roles/analytics.viewer role for Analytics access.
OAuth 2.0 Client IDs: If you're using OAuth 2.0 credentials, ensure that the client ID associated with your service account is added to the list of permitted access in the Google Analytics account.
API Key Restrictions: If you're using an API key, ensure that there are no IP restrictions or service restrictions that might be blocking your requests.
Check for Property Moves: If you've recently moved the property between accounts or made significant changes, it might affect the service account's access.
Error Messages: Pay close attention to any error messages you receive. They can often provide clues about what might be going wrong.
Logs: Check the logs in both Google Cloud Platform and Google Analytics for any additional information or warnings related to your service account or API requests.
Service Account Key: Ensure that the service account key (JSON file) you're using in your application is up-to-date and hasn't been revoked or deleted.
Billing: Ensure that your Google Cloud Platform account is in good standing and that billing is set up correctly. Sometimes, API access can be affected if there are billing issues.

aw131313

all of these have been checked, and check out -- at least, as far as I know - and I've checked a zillion times.

Can you clarify this ...

"Ensure you're using the right API version for your property type" ... far as I know I am - but tell me what the right API version should be, and then it would be easier to check

also -- this is pretty ambiguous

"and the roles/analytics.viewer role for Analytics access" ... mainly because that role doesn't appear - and it's also really difficult in Google Cloud to figure out where these settings exist. I have stumbled upon them a few times. Mainly - I can't edit the roles directly because it says it's inherited from another source - which in this case, is simply the parent API project. Poking around various places, I can find the list of roles - and the closest thing I see to what you listed is "roles/analyticshub.viewer" ... not that I'd know how to assign it to this service account. Right now the service account role is listed as "Editor"

There's nothing in any logs. The only error message is that "User does not have sufficient permissions for this profile"

all keys are up to date - there are no IP restrictions

ms4446

Validation of the given information:

Google Analytics 4 (GA4) vs. Universal Analytics (UA):

Universal Analytics (UA): If your property ID starts with "UA-", then you're using Universal Analytics. For this, you'd typically use the Core Reporting API v3, which is a legacy API that is no longer being updated.
Google Analytics 4 (GA4): If your property doesn't have the "UA-" prefix, it's likely a GA4 property. For GA4, you'd use the Google Analytics Data API (Beta), which is a newer API that supports both Universal Analytics and Google Analytics 4 data.

Roles and Permissions in Google Cloud Platform (GCP):

It sounds like you're dealing with inherited permissions. In GCP, permissions can be set at the Organization, Folder, Project, and Resource levels. If a permission is inherited from a higher level (e.g., Organization or Project), you might not be able to edit it directly at the Resource level. To check which level a permission is inherited from, you can use the Permissions Explorer tool in the GCP Console.
The role "roles/analyticshub.viewer" is for the Analytics Hub and not for Google Analytics. The correct role for Google Analytics would be something like "roles/analytics.dataEditor" or "roles/analytics.user".
If you're seeing "Editor" as the role for your service account, it means the service account has broad permissions. However, this doesn't guarantee access to Google Analytics data. Access to Google Analytics data is controlled within the Google Analytics UI itself.

Assigning Google Analytics Permissions:

Click on "Admin" (gear icon at the bottom left).
Under the appropriate Account/Property/View column, click on "User Management."
Add your service account's email and assign the necessary permissions (Read & Analyze at a minimum, Edit if you want to make changes).
To grant a service account access to a specific Google Analytics view, go to the View Settings page for the view and add the service account's email address to the Users list.

Error Message:

The error "User does not have sufficient permissions for this profile" typically indicates a permissions issue within Google Analytics itself, not GCP. Ensure that the service account's email is added to the Google Analytics account/property/view with the necessary permissions. Other possible causes of this error include a problem with the service account's credentials or a problem with the Google Analytics API.

aw131313

Every single one of these things is correct on my end, and has been checked a hundred times. Those roles you mentioned are still not listed in the list of roles in GCP, however. And I've searched every which way. Nevertheless, as you said, it appears my permissions are fine there, and very broad.

The service has all the highest permissions in my GA4 profile. I'm using the correct API, etc..., etc... Still nothing. I'm an experienced web dev, who had this working with my UA account for years. This should not have been a difficult switch. Most of the things you mentioned here are very obvious - and I've read all the docs. It's possible I'm missing something - which is why I'm asking - and reviewing everything you've written. But I'm no webdev noob. Everything you've listed has been done and re-done and re-checked over and over.

ms4446

I understand your frustration. It sounds like you have done everything correctly, and yet you are still getting the error message "User does not have sufficient permissions for this profile".

At this point, I would recommend contacting Google Cloud support directly. They may be able to identify the issue and help you resolve it.

Here are some additional things you can check in the meantime:

Make sure that the service account has the correct permissions for the specific Google Analytics view that you are trying to access.
Make sure that the service account is authorized to use the Google Analytics Data API (Beta).
Make sure that you are using the correct API endpoint for the Google Analytics Data API (Beta).
Make sure that you are using the correct credentials for the service account.

aw131313

Thanks. All of that checks out. One thing though - you (and some of the docs) have mentioned "Google Analytics view" ... GA4 no longer has views. There are just accounts and properties. From everything I've seen and read, there are no longer such things as "views"

ms4446

You are correct and I apologize for the oversight. Google Analytics 4 (GA4) no longer has views. Instead, GA4 uses a single reporting view and data streams to organize data. Data streams are sources of data, such as your website, iOS app, and Android app. You can have one or all three in a single GA4 property.

rahul7

any luck to find the solution of this issue? i am facing the same issue

aw131313

have not found a solution still ... it just doesn't work

GuilhermeSouza

have you find the solution? facing the same here

Krish_2000_v1

I'm trying to access the analytics data from my application. But, getting this error response.
{
"error":{
"code":403,
"message":"Google Analytics Data API has not been used in project 103424032563 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/analyticsdata.googleapis.com/overview?project=1034240... then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.",
"status":"PERMISSION_DENIED",
"details":[
{
"@type":"type.googleapis.com/google.rpc.Help",
"links":[
{
"description":"Google developers console API activation",
"url":"https://console.developers.google.com/apis/api/analyticsdata.googleapis.com/overview?project=1034240..."
}
]
},
{
"@type":"type.googleapis.com/google.rpc.ErrorInfo",
"reason":"SERVICE_DISABLED",
"domain":"googleapis.com",
"metadata":{
"consumer":"projects/103424032563",
"service":"analyticsdata.googleapis.com"
}
}
]
}
}

The project-id shown here is irrelevant to my analytics account. Kindly help me to resolve this issue.

ms4446

The error message indicates that the Google Analytics Data API has not been enabled for the project with ID 103424032563. To resolve this issue, follow these steps:

Navigate to the Google Cloud Platform (GCP) Console.
In the left sidebar, click on "APIs & Services" and then "Library".
In the search bar, type "Google Analytics Data API" and select it from the results.
Click on the "Enable" button.

After enabling the API, it might take a few minutes for the changes to propagate. Once done, try accessing the Analytics data from your application again.

If the issue persists:

Double-check that you're working within the correct GCP project. The project ID, which is a unique identifier, can be found at the top of the GCP Console.
Ensure your service account has the necessary permissions to access the Analytics data. You can adjust permissions in the IAM & Admin section of the GCP Console. Refer to the Google Analytics documentation for more details on required permissions.

coffee123

Anyone who were able to make this work?

1 - I got my Service accounts setup in cloud
2 - I was provided with credentials. json where I have my "XXX@XXXXX.iam.gserviceaccount.com" inside
3 - I enabled "Google Analytics Reporting API" enabled in the API Library
4 - I then went to Analytics hub > Admin > Account access management and added "XXX@XXXXX.iam.gserviceaccount.com" as Administrator role
5 - I specifically added one property_id (GA4) as administrator just to test if I can fetch my data from it

Error message: googleapiclient.errors.HttpError: <HttpError 403 when requesting https://analyticsreporting.googleapis.com/v4/reports:batchGet?alt=json returned "User does not have sufficient permissions for this profile.". Details: "User does not have sufficient permissions for this profile.">

aw131313

unfortunately still no - nothing works.

insufficient Permissions error facing also not able to find out View ID