Analytics API from app engine with AppIdentityCredential insufficient permissions

I am attempting to hit Google analytics API from my java app engine module.

I have the following code to retrieve the credential.

public HttpRequestInitializer getCredentials() throws GeneralSecurityException, IOException {

    HttpRequestInitializer httpRequestInitializer;

    if ( == {

        String certificate = "/token.p12";
        File privateKey = null;

        try {
            privateKey = new File(getClass().getResource(certificate).toURI());
        } catch (URISyntaxException e) {
            log.log(Level.SEVERE, e.getMessage(), e);

        httpRequestInitializer = new GoogleCredential.Builder()
                .setTransport(new NetHttpTransport())
                .setJsonFactory(new JacksonFactory())

    } else {

        httpRequestInitializer = new AppIdentityCredential(Arrays.asList(AnalyticsScopes.ANALYTICS_READONLY));


    return httpRequestInitializer;

I have enabled the analytics api for the project in the cloud dev console. In Google analytics I have given the service account read access. Google analytics is using the same google account as I am using for google cloud.

Anyway, when using the app engine dev server this code works and I can hit the api (using the client library). However, when run from app engine itself and it uses AppIdentityCredential I am getting the following exception when attempting to hit the API. 403         OK
"code" : 403,
"errors" : [ {
"domain" : "global",
"message" : "User does not have any Google Analytics account.",
"reason" : "insufficientPermissions"
} ],
"message" : "User does not have any Google Analytics account."

I would assume that AppIdentityCredential authenticates as the user who owns the app engine project, but I guess it doesn't?

I would like to use AppIdentityCredential as I understand that this is recommended for production instances.

How can I use AppIdentityCredential and access the analytics api with it?


Uh ok I figured it out.

The app engine project is tied to the identity/account of . Giving this account access in analytics settings allows the app engine code to access it using AppIdentityCredential

Need Your Help

Ambiguity issue when deducing function call

c++ compiler-errors overloading ambiguous-call

I have the following bit of code which has two versions of the function foo. I'd like if a variable is passed for the foo that takes an AVar type to be called otherwise if a const is passed for the