Google Ads has introduced a new feature allowing account administrators to grant access to a service account. This access enables the use of service account credentials to make API calls to the Google Ads account and other accounts within the hierarchy.
Simplification of Google Ads API Authentication
The new service account approach simplifies the authentication process in two significant ways:
- Offline Applications: Applications that operate entirely offline without user interaction no longer need to generate a refresh token. This eliminates the need for configuring an OAuth consent screen and performing OAuth App verification.
- No Google Workspace Requirement: The new flow does not require being a Google Workspace user or configuring the service account for domain-wide impersonation.
Service Accounts
A service account is associated with an app rather than an individual user, enabling server-to-server interactions between a web app and a Google service. The app calls Google APIs on behalf of the service account, eliminating the need for direct user involvement.
Key Benefits of Service Accounts:
- Simplified Authorization: Authorization is done as a configuration step, avoiding complications of other OAuth 2.0 flows that require user interactions.
- Impersonation Capability: The OAuth 2.0 assertion flow allows the app to impersonate other users if necessary.
Authorization Methods
There are two ways to authorize with service accounts: directly or with impersonation.
Direct Account Access
- Create a Service Account: Generate a service account and credentials.
- Download Key: Download the service account key in JSON format and note the service account ID and email.
- Grant Access:
- Sign in to Google Ads as an administrator.
- Navigate to Admin > Access and security.
- Click the + button under the Users tab.
- Enter the service account email, select the appropriate access level, and click Add account. Note that Email and Admin access levels are not supported for service accounts.
Impersonation (Legacy Approach)
Prerequisites:
- A Google Workspace domain.
- Google Ads API developer token and optionally a test account.
- Google API Console project configured for Google Ads API.
- Google Ads user with permissions on the account.
Setup:
- Create a service account and credentials.
- Share the service account ID and Google Ads API scope with the domain administrator.
- Request domain-wide authority delegation from the domain administrator.
Protect the key file that allows service account access to Google services and make sure to limit service account access to the minimum required set of APIs to reduce potential data exposure in case of key file compromise.
This new feature streamlines the process of integrating applications with Google Ads, making it more efficient and user-friendly.
