php push-notification gmail gmail-api google-cloud-pubsub

Error 403: Error sending test message to Cloud PubSub: User not authorized to perform this action

I want to set up a push notification watch but I receive an error response. What authorization I need?

Request:

// Google API
$client = getClient();

// POST request    
$ch = curl_init('https://www.googleapis.com/gmail/v1/users/me/watch');

curl_setopt_array($ch, array(
    CURLOPT_POST => TRUE,
    CURLOPT_RETURNTRANSFER => TRUE,
    CURLOPT_HTTPHEADER => array(
        'Authorization: Bearer ' . $client->getAccessToken()['access_token'],
        'Content-Type: application/json'
    ),
    CURLOPT_POSTFIELDS => json_encode(array(
        'topicName' => 'projects/xxxx/topics/xxxx',
        'labelIds' => ["INBOX"]
    ))
));

Response:

{
 "error": {
  "errors": [
   {
    "domain": "global",
    "reason": "forbidden",
    "message": "Error sending test message to Cloud PubSub projects/xxxx/topics/xxxx : User not authorized to perform this action."
   }
  ],
  "code": 403,
  "message": "Error sending test message to Cloud PubSub projects/xxxx/topics/xxxx : User not authorized to perform this action."
 }
}

More details:

The scope used is GMAIL_READONLY.
The suscription and the topic exist and they were created in the same console.
I tried to publish a new message from the console and it has worked.

Solution

From the page: https://developers.google.com/gmail/api/guides/push#grant_publish_rights_on_your_topic

Cloud Pub/Sub requires that you grant Gmail privileges to publish notifications to your topic.

To do this, you need to grant publish privileges to serviceAccount:[email protected]. You can do this using the Cloud Pub/Sub Developer Console permissions interface following the resource-level access control instructions.

(emphasis added)