Service accounts are special Google accounts that can be used by applications to access Google APIs programmatically via OAuth 2.0. A service account uses an OAuth 2.0 flow that does not require human authorization. Instead, it uses a key file that only your application can access. This guide discusses how to access the DFP API with service accounts.
- A DFP network.
- The Google API Ads Java client library for DFP.
- The Google API Java client library. This is bundled with the Google API Ads Java client library dependencies, so you need not download it separately, but we will be using classes from it.
- Generate service-account credentials or access the public credentials you've already generated. You will need to create an OAuth 2.0 Client ID and obtain a *.p12 private key file:
- Go to the Google Developers Console.
- Select a project. If you do not have one yet, create one by clicking Create Project.
- In the sidebar on the left, select Credentials.
- To set up a service account, select Create New Client ID. Specify that your application type is service account, and then select Create Client ID. A dialog box appears; to proceed, select Okay, got it. (If you already have a service account, you can add a new key by selecting Generate new key beneath the existing service-account credentials. A dialog box appears; to proceed, select Okay, got it.)
- Add a service account as a user to your DFP network. If you are a third party developer, you will need to have your client do this step for you.
- Go to your DoubleClick for Publishers network.
- Click the Admin tab.
- Ensure that API access is enabled.
- Click the Add a service account user button.
- Fill in the form with your Name, Email, Teams (if applicable), and Role.
- Click on the Save button. A message should appear, confirming the addition of your service account.
- Repeat the process for all other service accounts you want to add.
- View existing service account users by going to the Users tab and then clicking the Service Account filter.
- Now you can access your DFP network using the service account via OAuth 2.0 assertion flow. In the following code example, we use our service account with OAuth 2.0 assertion flow to obtain an access token and make a basic DFP API call that gets all networks associated with that service account.
// Create a valid OAuth2 credential without using a properties file. Credential credential = new OfflineCredentials.Builder() .forApi(Api.DFP) .withJsonKeyFilePath(jsonKeyFilePath) .build() .generateCredential(); // Create a new DfpSession without using a properties file. return new DfpSession.Builder() .withOAuth2Credential(credential) .withApplicationName(applicationName) .withNetworkCode(networkCode) .build();
Important: Protect the *.p12 key file that allows a service account to access the Google services for which it has been authorized. It is good practice to allow service accounts to only access one Google API each (using the “scope” field shown in the next section). This is a preventative measure to mitigate the amount of data an attacker can access in the situation that the service account’s *.p12 key file is compromised.
Can I log into the DFP web user interface with my service account?
No, service accounts are not regular Google accounts and cannot access the DoubleClick for Publishers web user interface.
How often do I need to refresh service account access tokens?
Access tokens expire one hour after they are issued by the Google OAuth 2.0 Authorization Server. When an access token expires, the application should use the client library to fetch another access token.
What role should I set my service account to?
When creating service accounts, you should limit the role as much as possible. Creating a service account with Administrator privileges, for example, would allow a third-party to create additional, UI-accessible, users, which may defeat the purpose of your service account.