API access no longer works (PERMISSION_DENIED: "The caller does not have permission")

[gnarea]

Describe the bug

I've been using this plugin on two apps (separate repos but exact same config), but one of them suddenly stopped working in the past few weeks despite there being no changes whatsoever to the GCP project, the Play Store Developer Console or the gradle-play-publisher config. Additionally, I'm now trying to set up a 3rd app and it's failing with the same error.

The rest of this bug report corresponds to the 3rd app that I'm trying to set up.

How To Reproduce

Versions

• Gradle Play Publisher: 3.4.0
• Gradle Wrapper: 6.6.1
• Android Gradle Plugin: 4.1.3

Tasks executed

bootstrap

Expected behavior

All the listing details to be downloaded.

Additional context (if a crash, provide stack trace)

Here's the output:

> Task :app:bootstrapRelease FAILED
Downloading app details
Downloading listings
Downloading release notes
Downloading in-app products

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':app:bootstrapRelease'.
> Multiple task action failures occurred:
   > A failure occurred while executing com.github.triplet.gradle.play.tasks.Bootstrap$DetailsDownloader
      > 403 Forbidden
        POST https://androidpublisher.googleapis.com/androidpublisher/v3/applications/tech.relaycorp.ping/edits
        {
          "code": 403,
          "errors": [
            {
              "domain": "global",
              "message": "The caller does not have permission",
              "reason": "forbidden"
            }
          ],
          "message": "The caller does not have permission",
          "status": "PERMISSION_DENIED"
        }
   > A failure occurred while executing com.github.triplet.gradle.play.tasks.Bootstrap$ListingsDownloader
      > 403 Forbidden
        POST https://androidpublisher.googleapis.com/androidpublisher/v3/applications/tech.relaycorp.ping/edits
        {
          "code": 403,
          "errors": [
            {
              "domain": "global",
              "message": "The caller does not have permission",
              "reason": "forbidden"
            }
          ],
          "message": "The caller does not have permission",
          "status": "PERMISSION_DENIED"
        }
   > A failure occurred while executing com.github.triplet.gradle.play.tasks.Bootstrap$ReleaseNotesDownloader
      > 403 Forbidden
        POST https://androidpublisher.googleapis.com/androidpublisher/v3/applications/tech.relaycorp.ping/edits
        {
          "code": 403,
          "errors": [
            {
              "domain": "global",
              "message": "The caller does not have permission",
              "reason": "forbidden"
            }
          ],
          "message": "The caller does not have permission",
          "status": "PERMISSION_DENIED"
        }
   > A failure occurred while executing com.github.triplet.gradle.play.tasks.Bootstrap$ProductsDownloader
      > 403 Forbidden
        GET https://androidpublisher.googleapis.com/androidpublisher/v3/applications/tech.relaycorp.ping/inappproducts
        {
          "code": 403,
          "errors": [
            {
              "domain": "global",
              "message": "The caller does not have permission",
              "reason": "forbidden"
            }
          ],
          "message": "The caller does not have permission",
          "status": "PERMISSION_DENIED"
        }

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 2s
1 actionable task: 1 executed

GCP and Developer Console configuration

I think API access is configured properly. As mentioned above, one of the three apps can use gradle-play-publisher with this config:

The service accounts above are in the GCP project linked to the Developer Console:

Note that androidpublisher.googleapis.com is already enabled in the GCP project linked to the Developer Console:

My service account is allowed to manage this app using the same set of permissions as the app that still works:

Google refuse to help

I've been trying to get through to someone at Google for the past week regarding the app that suddenly broke, but they refuse to help because I'm not using the web interface to manage the listing. They say that this is a bug in the tool I'm using, which I find it hard to believe given it's a 403 response.

However, I'm raising this issue here because now it's happening with a brand new app in a brand new GCP project, so maybe this is a bug in gradle-play-publisher?

[gnarea]

In case it's relevant, here's how I'm configuring the plugin:

play {
    enabled.set(project.findProperty("enableGpp") == "true")
    track.set("beta")
    defaultToAppBundles.set(true)
    resolutionStrategy.set(GPPResolutionStrategy.AUTO)
}

I'm setting the service account credentials in the environment variable ANDROID_PUBLISHER_CREDENTIALS.

If I pass --debug to ./gradlew bootstrap, I can see the Bearer token in the Authorization header of the requests made to https://androidpublisher.googleapis.com, so I'm guessing the credentials are picked up properly.

[gnarea]

Haha, this is kind of embarrassing but I was trying to bootstrap the project using the wrong service account 🤦🏾‍♂️ It works now that I'm using the right service account.

However, this still doesn't explain the issue I'm having with the other app. I'm still nagging Google to look into this so if they don't help me I'll probably create an issue here to see if you could help me -- maybe I'm missing something and the config in this app isn't identical to the one that actually works.