We set up real time developer notifications with Google Play. When someone subscribes to our Android app we get notifications.

We are trying to have the RTDNs go to a google app engine instance. It works when we supply the key for the app engine service account, like this:

GoogleCredentials credentials = GoogleCredentials.fromStream( "our-appengine-service-account-key.json" ) )
    .createScoped( AndroidPublisherScopes.ANDROIDPUBLISHER );

AndroidPublisher pub = new AndroidPublisher.Builder(
    GoogleNetHttpTransport.newTrustedTransport(),
    JacksonFactory.getDefaultInstance(),
    new HttpCredentialsAdapter( credentials )
).setApplicationName( appName ).build();

However, I don’t want to use the key. I want to use the default application credentials, which should be the same thing (shouldn’t it?). Why doesn’t his doesn’t work? Shouldn’t getApplicationDefault() return the same service account (the app engine service account).

AndroidPublisher pub = new AndroidPublisher.Builder(
        GoogleNetHttpTransport.newTrustedTransport(),
        JacksonFactory.getDefaultInstance(),
        new HttpCredentialsAdapter( GoogleCredentials.getApplicationDefault() )
).setApplicationName( appName ).build();

This is what appears in the logs:

403 Forbidden
GET https://androidpublisher.googleapis.com/androidpublisher/v3/applications/com.xxx.yyyy/purchases/subscriptions/monthlyplan1/tokens/okggphoaoolipixxxcpgedcd.AO-J1OzM0Sn_1u-QK3SGIetZymbKf4ZOeAP1rqhor-Ok59H02SmFCnath37PRd1XzFPdtWa3YTIIP9SvBymmJiQRkDufERQklw
{
“code” : 403,
“details” : [ {
“@type” : “type.googleapis.com/google.rpc.ErrorInfo”,
“reason” : “ACCESS_TOKEN_SCOPE_INSUFFICIENT”
} ],
“errors” : [ {
“domain” : “global”,
“message” : “Insufficient Permission”,
“reason” : “insufficientPermissions”
} ],
“message” : “Request had insufficient authentication scopes.”,
“status” : “PERMISSION_DENIED”
}

Note that I have given the app engine service account PUB/SUB Admin access.

Also, the service account appears in the Google Play Console (Users and Permissions) with what I think are correct permissions (they work when the service account key is used).