Outh-20-LogoIf you are looking to leverage one of the several Google API’s from a server based application, using Service Accounts is the way to go.  In my last post, I had put together a getting started guide to interface with Google’s Content API for Shopping using Python. This was created using an “Installed Application” Client ID requiring a user to grant access to the application as part of the OAuth 2.0 authentication process.  In the case of Server applications such as cron/batch jobs for data based processing tasks, the users who have access to the underlying resource such as a Google Merchant Center or Google Analytics account are not present to grant such access.  This is where Service Accounts come into play as your server based application will call the respective Google API on behalf of the Service Account.

In the next series of posts, we’re going to take the previous program that retrieved a product from a Google Merchant Center account using the Content For Shopping API, and change it to use a Service Account.  Anyone writing applications for this API are most likely going to use Service Accounts to manage their own data feeds and product data.  After watching the Blackhawks trounce the Oilers the other night (sorry Edmonton), I thought it was going to be that easy to change the program up to use a Service Account.   In reality, this supposedly simple switch took countless hours of pain to figure out. I’m hoping this post saves you some time and aggravation.

My setup:

While calling Google API’s from an application using a Service Account can be done across several different languages and platforms, my setup was for Python running on Windows.  However, the concepts are the same and can be adjusted and used as a guide for your specific environment. My setup:

  • Developing on Windows 7
  • Python (version 2.7.8 )
  • Setuptools 7
  • Google API Client Library for Python (version 1.3.1)

Step1: Install Visual C++ Compiler for Python 2.7

The first error I received while when making a call using a Service Account was this:

CryptoUnavailableError: No crypto library available

Newbie mistake. I didn’t install a cryptography module which is needed since Google’s OAuth process uses a private/public key encryption method to verify that the application making the API call is indeed right entity to make that call.  The cryptography module is used to sign something called a JSON Web Tokens (JWT) using a private key supplied by Google.  This signed JWT is used to request an access token from Google’s servers which is then used on each subsequent call to the respective API.   I settled on installing PyCrypto 2.6.1 on my Windows machine but then got the following error when trying to run my test program:

 Unable to find vcvarsall.bat

Now I can’t be the only one who threw up their hands in frustration.  This error message has no meaning.  Fortunately there were some really smart people who posted the answer on Stack Overflow.   For those running on Windows 7, you will need to install the “Microsoft Visual C++ Compilter for Python 2.7“.  This is needed to compile PyCrypto properly.   If you aren’t running on a Windows platform you can skip this step.

Step 2: Installing PyCrypto 2.6.1

As I mentioned earlier, you need to install this Python module to sign JWT’s.  You can install this by typing in the following:

easy_install pycrypto 

Step 3: Installing OpenSSL for Windows

The next error I received when trying to run the program was this:

Error 3: PKCS12 format is not supported by the PyCrypto library. 

NotImplementedError: PKCS12 format is not supported by the PyCrypto library. Try converting to a “PEM” (openssl pkcs12 -in xxxxx.p12 -nodes -nocerts > privatekey.pem) or using PyOpenSSL if native code is an option.

Apparently the private key (PKCS12 format)  you get from Google when creating a Client ID within the Google Developer Console is not supported by the PyCrypto module.   You will need OpenSSL to convert this PKCS12 key to the PEM format which I will explain in the next post once you have downloaded your PKCS12 key from Google.  For now, if you are running on a Windows environment you will need to download OpenSSL:

In my case I downloaded “Win32 OpenSSL v1.0.1j”


You now have the base underlying modules and tools needed to continue forward.  In my next post, I’ll walk though creating the Service Account and the respective code required to make the respective Google API call from an application using a Service Account.

I’d also highly recommend reading through Google’s documentation on OAuth2, specifically the part on Service Accounts.  This will give you a good overview of how it works: https://developers.google.com/accounts/docs/OAuth2