无法使用服务帐户在 google 日历中创建活动

Question

我有两个 google 工作区帐户用于测试。帐户 A 有一个服务帐户，在帐户 B 中，我已将具有 reading/writing 所需权限的全域委派服务帐户添加到帐户 B 中的日历。

阅读活动和日历有效。但是，当尝试使用帐户 B 的资源日历中的服务帐户创建事件时，出现以下错误：

{"error":{"errors":[{"domain":"calendar","reason":"requiredAccessLevel","message":"You need to have writer access to this calendar."}],"code":403,"message":"You need to have writer access to this calendar."}}

添加的权限：

如果我们在一个 Google Workspace 帐户中进行测试，它会起作用。

这是代码

// clientMail is the service account id
// privateKey is the service account key
// subject is also the service account id

const jwtClient = new google.auth.JWT(
    clientMail,
    undefined,
    privateKey,
    [
      'https://www.googleapis.com/auth/calendar',
    ],
    subject,
  );

  let calendar = google.calendar({
    version: 'v3',
    auth: jwtClient,
  });
...

savedEvent = (await calendar.events.insert({ calendarId, requestBody: event })).data;
...

Answer 1

您似乎忘记指定要将服务帐户委托给哪个用户。

from google.oauth2 import service_account

SCOPES = ['https://www.googleapis.com/auth/calendar']
SERVICE_ACCOUNT_FILE = '/path/to/service.json'

credentials = service_account.Credentials.from_service_account_file(
        SERVICE_ACCOUNT_FILE, scopes=SCOPES)

delegated_credentials = credentials.with_subject('user@example.org')