Cannot impersonate user for gmail with service account

Hi! I am pretty new here.

We are a small company (non-profit) that have a number of clients.

I want to build an internal tool that makes it possible to fetch all ingoing/outgoing emails to certain clients (email-addresses). The idea is that everyone on the team should be able to via a dashboard get an “activity feed” with all messages related to each client regardless of who’ve sent/received them from our side.

  • I created a service account, and activated Domain-wide delegation with scope https://mail.google.com/
  • I’ve enabled the Gmail API

In n8n (cloud) I’ve created service account google credentials, added the service account email as well as the private key. It says “Connection tested successfully” until I add a user to impersonate. And as I’ve understood it, I need to impersonate an user to be able to fetch its messages.

If “impersonate user” is ON but without email specified, it works. But if I add my own email for example, it says:

Couldn’t connect with these settings 
401 - {"error":"unauthorized_client","error_description":"Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."}

So I am stuck here.

Any ideas on how to troubleshoot this? What could be the error?

Hey @einarpersson, I am sorry to hear you’re having trouble here. Unfortunately I am not an admin in our Google Workspace account (so can’t test this myself), but have asked internally for help with looking into this.

Ok, yes thanks! Right now I am kind of stuck.

Supplying a couple of screenshots to show my settings

@MutedJam

I have verified that I can use the service account credentials to impersonate a user for Google Sheets as shown in this tutorial. Note though that the credentials user interface still gives an error message (but they work!) which is described in this github issue (2397).

However my original problem persists, since I want to use Gmail API, and here I still get an error even if I just “ignore” the error in the credentials UI.


Am I lacking any scopes for gmail?
What scopes are needed?

**Edit: **

I found this this definition of scopes regarding gmail.
After I added all those, it started working!

However - Necessary scopes for these nodes should really be available in the node documentation!