Skip to main content

Google Cloud | Troubleshooting Google Cloud Services Inspectors

Google, Google Drive, Google Workspace, Google Cloud Services, Client is unauthorized, retrieve access tokens

Updated over a month ago

Overview πŸ’₯

This error appears when the Google Cloud Services Inspectors (Google Workspace, Google Drive) attempt to retrieve access tokens but the service account is either not authorized, incorrectly scoped, or missing required IAM permissions.
​

Full Error(s):
a. Client is unauthorized to retrieve access tokens using this method Or

b. Client not authorized for any of the scopes requested.
​

This indicates a mismatch between how the Service Account was created in Google Cloud Platform (GCP) and how it was authorized in Google Workspace Admin Console.

Why Does This Happen? πŸ€”

Common root causes include:

  • Domain-wide delegation not enabled for the service account.

  • Incorrect or incomplete OAuth scopes in Google Workspace.

  • Service account missing required IAM roles (Service Account User + Token Creator).

  • Private key mismatch (uploaded wrong key, key expired, or regenerated but not updated in Liongard).

  • Parent/Child inspector mismatch, especially if the service account was not created in the correct GCP project tied to the correct Google Workspace organization.

Steps to Resolve πŸ§‘β€πŸ«

1️⃣ Ensure Domain-Wide Delegation is Enabled

  1. In Google Cloud Platform, go to:
    ​IAM & Admin β†’ Service Accounts β†’ Your Service Account β†’ Details β†’ Advanced Settings

  2. Confirm Domain-wide delegation is enabled.

  3. Verify the Client ID β€” you will use this in Google Workspace OAuth setup.

    For more information, reference this article from Google Cloud Platform's developer documentation

2️⃣ Confirm OAuth Scopes Are Correct in Google Workspace

Scopes must match exactly as documented. In Google Admin Console, Navigate to :
​Security β†’ Access and data control β†’ API Controls β†’ Domain-wide Delegation β†’ Manage

Check that:

  • The Client ID matches your service account.

  • The scopes list is complete and comma-separated (no trailing commas).

  • You're using the correct scope set depending on inspector type:

    • Workspace + Drive

      https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly, https://www.googleapis.com/auth/admin.directory.group.member.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.orgunit.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.user.alias.readonly, https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly, https://www.googleapis.com/auth/admin.directory.userschema.readonly, https://www.googleapis.com/auth/admin.directory.customer.readonly, https://www.googleapis.com/auth/admin.directory.domain.readonly, https://www.googleapis.com/auth/admin.directory.device.mobile.readonly, https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly, https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/admin.reports.usage.readonly, https://www.googleapis.com/auth/apps.order.readonly, https://www.googleapis.com/auth/calendar.readonly, https://www.googleapis.com/auth/calendar.events.readonly, https://www.googleapis.com/auth/calendar.settings.readonly, https://www.googleapis.com/auth/drive.readonly, https://www.googleapis.com/auth/drive.activity.readonly, https://www.googleapis.com/auth/apps.licensing

    • Drive-only

      https://www.googleapis.com/auth/drive.readonly, https://www.googleapis.com/auth/apps.order.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.domain.readonly,

3️⃣ Validate Required IAM Roles in Google Cloud Platform

Your service account requires:

Required Role

Purpose

Service Account User

Allows impersonation for API calls

Service Account Token Creator

Allows minting OAuth tokens

Navigate to IAM & Admin β†’ IAM β†’ Select your Service Account β†’ Permissions

Ensure both roles appear.
If not: Add β†’ Service Accounts β†’ select both roles.

4️⃣ Verify the Correct Private Key Is Loaded in Liongard

Common issue: a new JSON key is generated but Liongard still uses the old key.

Steps:

  1. Open the JSON private key file downloaded during service account creation.

  2. In Liongard, open the Parent Inspector.

  3. Paste the entire JSON file contents into the Private Key field.

If you’re unsure which key is active β†’ regenerate a new JSON key and update Liongard with it.

5️⃣ Reconfirm Required APIs Are Enabled in GCP

Navigate to: APIs & Services β†’ Enabled APIs & Services

Verify:

API

Workspace

Drive

Full Suite

Admin SDK API

βœ”

βœ”

βœ”

Google Drive API

𝐗

βœ”

βœ”

Enterprise License Manager

βœ”

𝐗

βœ”

Google Workspace Reseller API (optional)

βœ”

βœ”

βœ”

If any API is missing β†’ Enable and re-run inspection.

Advanced Troubleshooting πŸ‘¨β€πŸ’»

These steps help when everything appears correct but the inspector still fails.

βœ… Run Inspector in Clear Cache + Debug Mode

  1. Run Parent Inspector in Clear Cache + Debug Mode.

  2. Download the debug logs.

  3. Look for:

    • invalid_grant

    • unauthorized_client

    • missing_scope

    • serviceAccountTokenCreationPermissionDenied

These messages pinpoint the exact missing permission/scope.

βœ… Validate the Service Account Is Created in the Correct Project

If the service account is created under the wrong GCP Organization, domain-wide delegation will fail silently.

Verify that:

  • The project belongs to the same Google Workspace org you're inspecting.

  • The Parent Inspector's admin email matches a Super Admin in that Workspace tenant.

βœ… Confirm Parent vs. Child Inspector Setup

For multi-tenant setups:

  • Only one Parent Inspector should be created.

  • Child inspectors are auto-discovered.

  • Children inherit the same service account used by the Parent.

If Parent is configured incorrectly β†’ all children will fail.

βœ… Confirm Time Sync Issue (rare but known Google cause)

Google may rejects service-account-issued tokens if Local system time is off by more than 5 minutes. Correct time drift and try running inspection again.

Post-Resolution Validation

After changes:

  1. Re-run Parent Inspector.

  2. Ensure auto-discovered Child Inspectors appear.

  3. Confirm:

    • Google Workspace retrieves user, group & other data.

    • Google Drive retrieves file statistics and drive metadata.

  4. Check for β€œinsufficientPermissions” or β€œforbidden” errors in the logs.

Contact Support 🦁

After performing all steps above if issue still persist, contact Liongard Support with:

  • Parent Inspector Debug Logs

  • Confirmation of Domain-wide Delegation

  • Service Account IAM role screenshot

  • Scope entry screenshot from Workspace Admin Console

  • Enabled APIs screenshot

Our Support team is happy to help πŸ˜‡
πŸ’¬ Start a chat with Leo (Our AI Assistant) or connect with a live support engineer.
πŸ“§ Email: support@liongard.com

Did this answer your question?