Search code examples
python-3.xgoogle-apigmail-apigoogle-api-python-clientservice-accounts

Sending email as a service account gmail api


To be clear:

  • I'm not impersonating another user. I'm sending the email from the service account and the receiver will see the name of the service account as the sender
  • I have already enabled gmail api and correctly setup the service account

Code:

import base64
from google.oauth2 import service_account
from email.message import EmailMessage
from googleapiclient.discovery import build

creds = service_account.Credentials.from_service_account_file(
    filename = 'client_secret.json',
    scopes = ['https://mail.google.com/'],
)
service = build('gmail', 'v1', credentials=creds)
mime_message = EmailMessage()
mime_message['To'] = '[email protected]'
mime_message['From'] = '[email protected]'
mime_message['Subject'] = 'Test Subject'
mime_message.set_content('Test Message')

encoded_message = base64.urlsafe_b64encode(mime_message.as_bytes()).decode()
create_draft_request_body = {
    'message': {'raw': encoded_message}
}
draft = service.users().drafts().create(userId="myuserid",body=create_draft_request_body).execute()

Error:

shell <HttpError 400 when requesting https://gmail.googleapis.com/gmail/v1/users/myclientid/drafts?alt=json returned "Precondition check failed.". Details: "[{'message': 'Precondition check failed.', 'domain': 'global', 'reason': 'failedPrecondition'}]">


Solution

  • failedPrecondition means that one of the conditions of using a service account with the gmail api has not been meet.

    In order to use a service account with the Gmail api. You must configure domain wide delegation to a user on your google workspace account.

    Service accounts by themselves do not have access to send emails. To be 100% clear: What you want to do is not possible. You must configure the subject in the authorization configuration to be that of a user on your workspace domain. [email protected] does not have access to send an email.

    def _create_client(subject):
        credentials = service_account.Credentials
        credentials = credentials.from_service_account_file('credentials/service_account.json',
            scopes=['https://www.googleapis.com/auth/gmail.settings.sharing',
                    'https://www.googleapis.com/auth/gmail.settings.basic'],
            subject=subject)
        service = discovery.build('gmail', 'v1', credentials=credentials)
        return service
    

    What I normally recommend for my clients is to create a dummy [email protected] user and send the emails from that.