I want to send emails using python on GAE, so edited "Email API authorized senders" in:
https://console.developers.google.com/project/MY_PROJECT/appengine/settings
under "Email API authorized senders", I added support#mydomain.com (where mydomain.com is registered via google domain, and linked to MY_PROJECT)
I got a message saying I don't have enough privilege to make this change. Any idea why? Thanks so much.
The documentation says
All email addresses on the Email API Authorized Senders list need to
be valid Gmail or Google-hosted domain Accounts. There are
restrictions on who can add whom to the Email API Authorized Senders
list:
Application administrators can add themselves
Application administrators for applications hosted in a Google Apps domain can add
noreply#domain.com, as long as noreply#domain.com is a valid account
Domain administrators of domains managed by Google Apps can add any
user in their domain
So you would need to be a Google Apps admin and the user you're trying to add must also exist in Google Apps. Sadly the documenation doesn't mention groups in the Apps domain which would be quite useful.
Related
I am trying to add a email sender account in Google App Engine. The domain is not a google apps domain.
When I try to add the account as an IAM user, it says the account must have a google account. When I try to make a Google account, it forces me to make a #gmail account as part of it.
Once all that was said and done, I am able to add my new email domain into IAM, but as soon as I save and refresh the page - it shows the #gmail alias I created. It won't let me add my own domain as an email sender because only the #gmail is in IAM.
Is this broken?
UPDATED
Turns out that I accidentally assigned a gmail account to the Google account as well and that was overriding the name. I went into the google account and removed Gmail from the products list and I was able to add the subdomain in IAM and as a valid sender.
Not broken, just working as documented. From Who can send mail:
For security purposes, the sender address of a message must be one of
the following:
The Gmail or G Suite Account of the user who is currently signed in
Any email address of the form anything#[APP_NAME].appspotmail.com or anything#[APP_ALIAS].appspotmail.com
Any email address listed in the GCP Console under Email API Authorized Senders
All email addresses on the Email API Authorized Senders list need
to be valid Gmail or Google-hosted domain accounts.
One option would be to get your domain under Google domain hosting or G-Suite, thus meeting one of the quoted restrictions, donno if that's acceptable for you.
These sender address restrictions and other restrictions associated with sending email through the GAE Mail API) are probably not applicable if sending email through one of the Google's 3rd party email provider services: Mailgun, Mailjet and SendGrid. At least such restrictions are not mentioned in these docs. So that could be another option to consider.
I am trying to perform server-side OAuth so I can use a specific user account in my domain to send emails (hence using GMail API) via my application.
Mine is a purely server-side app and I cannot perform "user consent" via a UI.
I have created a project in Google App Engine and have obtained service account credentials (P12 key).
My code looks like this -
new GoogleCredential.Builder()
.setTransport(httpTransport)
.setJsonFactory(JSON_FACTORY)
.setServiceAccountId(googleEmailerServiceAccountId)
.setServiceAccountPrivateKeyFromP12File(new File(googleEmailerServiceAccountPrivateKeyLocation)).setServiceAccountScopes(Collections.singleton(GmailScopes.GMAIL_COMPOSE))
.setServiceAccountUser("xxx#xxx.com")
.build()
I have delegated domain wide access to the application (for GMAIL COMPOSE scope) via the admin console as per https://developers.google.com/identity/protocols/OAuth2ServiceAccount.
And I still get an Unauthorised 401 when I try to send emails from my app.
Since there is no explicit documentation for the Gmail API that says it allows domain wide delegation, I am guessing it is not allowed for Gmail.
Is there any way of achieving this programatically?
Any idea would be much appreciated.
Thanks!
As far as I know you cant use a service account with Gmail. Service accounts must be pre authorized.
Authorizing Your App with Gmail
All requests to the Gmail API must be authorized by an authenticated
user. Gmail uses the OAuth 2.0 protocol for authenticating a Google
account and authorizing access to user data. You can also use Google+
Sign-in to provide a "sign-in with Google" authentication method for
your app.
Share a Google drive folder with the Service account. Add the service account email as a user on a google drive folder it has access
Share a Google calendar with the service account, just like any other user.
Service accounts don't work on all Google APIs. To my knowledge you cant give another user access to your Gmail so there will be now to pre authorize the service account.
Recommendation / work around / hack
Create a dummy app using the same client id, authenticate it get the refresh token then use the refresh token in your application.
I own a domain, call it myDomain.com, which currently masks a Google App Engine project. I have multiple alias email addresses associated with this domain, e.g. rsvp#myDomain.com, that are all set up to forward to my Gmail account. I am unable to ever authorize these aliased email accounts as Editors of my Google App via the Developer's Console because Google always sees the aliased email as my Gmail account and says...
You are already a member of this project, you cannot accept this
invitation.
...whenever I attempt to accept the invite to Edit.
Thus when I attempt to send an email via an aliased email from my deployed app, I get an InvalidSenderError: Unauthorized sender error.
Is it possible to use my domain's aliased emails to send emails from my app if they are forwarding to the same account that deployed the app? I will try an experiment this evening where I use a different forwarding email account, but this is not sustainable, as I would like to have many (>10) aliased email addresses.
Thanks!
Unfortunately, you can't send from email aliases using the built in mail service in GAE. It must be a a full user with developer access to that project.
We switched over to using The SendGrid integration for much the same reason.
There is a built in library for it in GAE and you and get a free SG account for low volume. Check out docs at https://cloud.google.com/appengine/docs/python/mail/sendgrid for more info.
I have an appengine app that stores documents in a Google Docs account. It uses the Documents List API to communicate with Google Docs but I am now trying to migrate it to use the Drive API as the Documents List API is supposed to be shutdown on 4/20.
I would like to know if I need to grant any special permissions for my appengine app to be able to access the Drive account and read/write documents from it. i.e., do I need to add a row on this screen?
The Google Docs account under which files are stored by my current app is of the form user#xyz.com where xyz.com is a domain name that I purchased through Google and that is aliased to my appengine app. Further user#xyz.com is an owner of my appengine app.
Yes.
Delegate domain-wide authority to your service account
In the Client name field enter the service account's Client ID.
In the One or More API Scopes field enter the list of scopes that your application should be granted access to (see image below). For example if you need domain-wide access to the Google Drive API and the Google Calendar API enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar
Click the Authorize button.
Your service account now has domain-wide access to the Google Drive API for all the users of your domain, and potentially the other APIs you’ve listed such as the Calendar API in the example above. You are ready to instantiate an authorized Drive service Object on behalf of your Google Apps domain's users.
When you make the calls, you will have to impersonate the user whose account you want to access, i.e. user#xyz.com
Referring to the following document about sending email in Google App Engine:
https://developers.google.com/appengine/docs/python/mail/sendingmail
It says that the email sender (i.e., From address) may be:
Any valid email receiving address of a domain account, such as support#example.com. Domain accounts are accounts outside of the Google domain with email addresses that do not end in #gmail.com or #APP-ID.appspotmail.com.
This seems to be imply that as long as my domain mycompany.com is a Google Apps domain and I've added to my my Google Apps CPanel as a service, that I would be able to send an email from any arbitrary address that is not an existing user, such as: whatever#mycompany.com. Note that I do not have the app's authentication type set up as "Google Apps Domain" but rather as "Google Accounts API".
However, this is not working as such. I am only able to send email if it is an existing Google Apps user and is registered with the app as an administrator.
Please clarify. Thanks.
You should continue reading right after the sentence you quoted:
Any valid email receiving address of a domain account, such as support#example.com. Domain accounts are accounts outside of the Google domain with email addresses that do not end in #gmail.com or #APP-ID.appspotmail.com.
To send an email from an existing domain account, add the domain account as a Developer to your application using the Administration Console. The account is then sent an email with an invite to develop the application, which you must accept to add the account to the application.
So you still need to add the domain user under GAE Admin -> Permissions.