Issue with Google Calendar API using Service account in php

Question

I am building a page in my php web app where I can read and write my google calendar event so here i do not need for OAuth consent screen, as i am using only my google calendar.

for that i created Service account at google console. I followed step from here Google Calendar API in Your Application without Oauth Consent Screen

Using this PHP SDK : https://github.com/googleapis/google-api-php-client

code is

require_once __DIR__ . '/vendor/autoload.php';
define('CALENDAR_ID', 'google-email-address');
define('CREDENTIALS_PATH', 'service-account.json'); // json file path 
define('SCOPES', Google_Service_Calendar::CALENDAR);

$googleClient = new Google_Client();
$googleClient->setApplicationName("Google Calendar PHP API");
$googleClient->setAuthConfig(CREDENTIALS_PATH);
$googleClient->setScopes([SCOPES]);
$googleClient->setSubject(CALENDAR_ID);
$calendarService = new Google_Service_Calendar($googleClient);

###### Get Events...
$optParams = ['maxResults' => 10, 'orderBy' => 'startTime','singleEvents' => TRUE, 'timeMin' => date(DATE_RFC3339)];
$events = $calendarService->events->listEvents(CALENDAR_ID, $optParams)->getItems();
foreach ($events as $event) {
  print_r($event->getSummary() . " " . $start . "\n");
}

Now at CALENDAR_ID when i am using my google email id ( as calendar id ) then i got this error

{ "error": "unauthorized_client", "error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested." }

and when i am using email id that was generated by Service Accounts (ss-calender@XXXXXXXXXX.iam.gserviceaccount.com) then its returning null value.

How to read/write event at google calendar.

I am using same google account for console and calendar.

Answer 1

This error message is caused by the fact that the service account must be authorized in the Google Workspace Admin console, as well as specifying each API scope that an app should be able to access.

After creating the Service account in your Google Cloud console, you need to authorize the service account to access the user's data, you need to set up Domain-wide delegation keep in mind that this is going to be performed in your Google Workspace Admin console.

Steps to perform Domain-wide delegation:

• Admin console > Security > API Controls > Domain-wide Delegation
• Add new > for the Client ID field enter the Unique ID from your service account
• For the OAuth scopes field make sure you enter the same scope you have set up in your code otherwise you'll get the same error message

However, if you do not have a Google Workspace account and you are trying to read and write your personal @gmail email address calendar events, share the calendar with your service account:

• Go to Google Calendar > “My calendars” section. To expand it, click the Down arrow.
• Hover over the calendar you want to share, and click More and then Settings and sharing.
• Under “Share with specific people,” click Add people > add the service account email address.

Delete:

$googleClient->setSubject(CALENDAR_ID);

References:

• Domain Wide-delegation
• Share a calendar with specific people