Hello, I created a simple Go Application that starts Push Notifications from Gmail to Cloud Pub/Sub with the watch method. That works totally fine for my personal google Account but when I try the same with my Google Workspace Account from my company I get the following error:
googleapi: Error 403: Error sending test message to Cloud PubSub projects/clickup-ticket-creator/topics/gmail-messages : User not authorized to perform this action., forbidden
I set up bot GCP Projects in the totally same manner, bot grant the ".../auth/gmail.readonly" API Scope at the oauth consent screen and use an OAuth2 Key. The only difference is that the OAuth Consent Srceen is set to internal for the one in the workspace account, I already tried switching the usage type to external and adding the User i use to the allowed users but this also won't work.
I'm out of ideas.
Here are some steps to troubleshoot and potentially resolve the issue:
Double-Check Permissions:
Pub/Sub Permissions:
gmail-messages
) within your project (clickup-ticket-creator
).Gmail API Permissions:
https://www.googleapis.com/auth/gmail.readonly
) and is authorized for the Google Workspace domain.Service Account (if applicable):
OAuth Consent Screen:
Internal vs. External: While you've tried switching, try it again just in case:
Verification Status: If your app is still in testing, it may be unverified. You might need to request verification from Google, especially for external apps.
Google Workspace Admin Settings:
Go Application Code Review:
Additional Tips:
https://www.googleapis.com/auth/gmail.readonly
is sufficient for reading emails, if your application needs to create push notifications for new emails, you might need the https://www.googleapis.com/auth/gmail.modify
scope.Below is a conceptual snippet in Go for using the Gmail API to watch for changes:
srv, err := gmail.NewService(ctx, option.WithCredentials(creds))
if err != nil {
// Handle error
}
watchRequest := &gmail.WatchRequest{
TopicName: "projects/your-project/topics/your-topic",
LabelIds: []string{"INBOX"}, // Or specific label IDs
}
_, err = srv.Users.Watch("me", watchRequest).Do()
if err != nil {
// Handle error (look for 403 in the error message)
}