topic Re: Service Account Roles to Access SDM Services/APIs in Smart Home Developer Forum

Service Account Roles to Access SDM Services/APIs

jjkirby — Sat, 26 Aug 2023 00:06:33 GMT

I am writing a Python script to access my nest thermostat. I am able to generate a token this way:

def get_access_token():

global ACCESS_TOKEN, HEADERS

# Path to the service account JSON key file

service_account_key_path = './weatherflow-pi-project-sa.json'

# Define the scopes for which you need an access token

scopes = ['https://www.googleapis.com/auth/sdm.service']

# Load the service account credentials

credentials = service_account.Credentials.from_service_account_file(

service_account_key_path,

scopes=scopes

)

# Obtain an access token

credentials.refresh(Request())

# Print the access token

print("Access Token:", credentials.token)

ACCESS_TOKEN = credentials.token

HEADERS = {

'Content-Type': 'application/json',

'Authorization': f"Bearer {ACCESS_TOKEN}",

}

However when I go to fetch devices via

response = requests.get(google_oauth.API_URL, headers=google_oauth.HEADERS)
The API_URL is

https://smartdevicemanagement.googleapis.com/v1/enterprises/{PROJECT_ID}/devices
I get a 404 not found. This worked before when I was using a user based token and not a service account

I believe the problem is I need to add a role/permission to the service account to have access to my project. Any clue on the correct role ?
thanks

Re: Service Account Roles to Access SDM Services/APIs

sipriyadarshi — Wed, 30 Aug 2023 16:31:56 GMT

Can you please clarify if the Authorization Field in the print access token section should contain the char "f" before the bearer ?Also, can you share the http protocol request (header and data payload) ?

These information will help us in debugging the issue faster.

Re: Service Account Roles to Access SDM Services/APIs

jjkirby — Wed, 30 Aug 2023 17:25:08 GMT

Also called “formatted string literals,” f-strings are string literals that have an "f" at the beginning and curly braces containing expressions that will be replaced with their values.

It's a GET so no payload

Below is a print stament of the headers being passed just before the call:

response = requests.get(google_oauth.API_URL, headers=google_oauth.HEADERS)

HEADERS: {'Content-Type': 'application/json', 'Authorization': 'Bearer ya29.c.b0Aaekm1KUJ5bq1z-CjZSJQQ2kz-cyHi_8grlfXjhuqHVA7k7fDRs1ptyOI1mKbCOi32IXaW9agQf5PtnjmONvjJEhwcRxxarhEBjdM3oXd4BgrmpcDR-saPOBFC7URhDptnRqOzxNem6nu0SjxPah2QNQP2T92k4OaLFzEj0_NQ4L6A7wH9EyRwPqRxD5dd84x9qmsLFzx6PRZ1lRr1wgectJfiJFHVCJkFy6iZtzNPgFcQjbQdHbFVbccBDifNWRhBmcMmealDZS-z0KJiVdkKidBWNNjynzmfI19jqYvMnq9LNxcX243eVXrfc5fZfUgoMactUVXAL339Cr8wqxRtqUFomUOgpkuiQ8I912mi6vmJBoiMvU1tY_-MupYkvOS6cQbrofz9yroFSeMI78oafJJe_jzW0IqreXfrRW87oIrMMfIFUaUSY0hVqnopYJthgyX1UrRgIa9yhZne7qddBa3xWkIJR_tFqZM5oIY7cy5RYBvU-3aWf0wciWr4akebze2WI9MXXRJxmtUOQnxfBF2vW-vwFm_3p8XJlJn6YpF31ipivwV-z0i9Oix-cIwJoW65z13zfo32iYrhu_MpWZn0QYyQeSdxM1IFc-OwtvbVFm3jYvj5kQjBn-cQJ29fUkwYrVOsUVOewj0XazR9_F8orUshOBIO3pY4bvmnsta2IQrZW7IvMw-346I8u2rt4oby_td-0mJaveSdFcc3-UnMZxoJqvRQZv0BvyXqkqfgSjkwkQOFkf-_5ZjYb77Yjie_9Ic9zVI82ar_71Ir2nd5oe2adZ3xSgI2oJ18i345JpyIfqsipJg0_07UUI1au47Vn2zw2OS5pU4VzzV7MW5fkBplBzx_YBSXetBQvmQX_rRbUg4qdO7YBu37rmqVoW4Wg0833OwuOXo2cp1edyeiwBJn1e0kOrZoO9y-Z1_sYcJYq3jUQcrlyoZYrkgd1kbiUSserjwwVVi8sS83V7l_w2avXvWb9rJ1SVvfR-'}

Re: Service Account Roles to Access SDM Services/APIs

jjkirby — Wed, 30 Aug 2023 17:29:25 GMT

So my real question is what roles should I assign to the service account so it has access to the project?
I am using:

Owner
Service Account Token Creator

I assume if the request was not authorized I could get a 404 return code. I have had this working with a user based generated token. I am moving to a service account becuase this is going into a Raspberry PI making continuous interval GETS on Nest Temperature. Refresh Tokens have a shelf life and will eventually expire. So that is why I am using a service account

Re: Service Account Roles to Access SDM Services/APIs

ikpainting1122 — Sat, 30 Aug 2025 06:26:04 GMT

It sounds like the 404 issue is happening because the service account doesn’t have the right permissions assigned to access the Smart Device Management API. You may need to review the roles available in your Google Cloud project and grant the service account access to SDM resources, since without the correct roles it won’t be able to fetch devices. It’s a bit like hiring wall painting services if the painters don’t have the right tools or materials, the job won’t be done properly. Once the right permissions are added, your script should start working as expected.