For some reason, I need to grab a mail attachment to store its content into database everyday.
So obviously I can’t use the normal OAuth approach because no one can authorized this action every day, that leaves service account to get this thing done.
First, I need a service account, follow the instructions of Creating a service account section
And as a service account to access gmail, I have to impersonate as some real user to access thier mails, I could only do that in a Google Apps for Work domain.
To do so, I checked the next section of document, Delegating domain-wide authority to the service account.
But I can’t find the client id on the web console anywhere, I do find one client_id field in the .json key file though, which the Manage API client access panel doesn’t accept it at all.
And I can’t find any solution on google search / google products forum / stackoverfow either, then I finally found something on th developer console, thanks to my co-worker.
In the Credentials panel, go to the Manage service accounts link (on the top-right corner of service account credentails table), click the little icon on the end of the service account row, click Edit, then there’s a popup with a input text to change account name, AND a checkbox called Enable Google Apps Domain-wide Delegation.
After that, I finally got a client id on developer console, and able to authenticate something on the Manage API client access panel.
But it’s not done yet, I should use the sub parameter in Google_Auth_AssertionCredentials to specify which user to impersonate.
$credential = new Google_Auth_AssertionCredentials(
Now we’re done.