Invalid_grant error GoogleAnalytics to AppFlow

Question

I am trying to get my google analytics data to S3. I am using AppFlow for this. At First it worked fine but after few days it started showing below error to me:
> Error authenticating to connector: Login failed with status code 400: { "error": "invalid_grant", "error_description": "Token has been expired or revoked." } {requestUri=https://www.googleapis.com/analytics/v3/metadata/ga/columns, instanceUrl=https://analyticsreporting.googleapis.com}

What could be issue for this and what is possible solution.

In one of the comments someone said we need SSL for AppFlow. Can you you tell me where to get one for google analytics.

Answer

Firstly, Please make sure you are following all the requirements listed in the document: https://docs.aws.amazon.com/appflow/latest/userguide/google-analytics.html#googleanalytics-requirements

1. Create a new OAuth 2.0 client. Set the application type as Web application.

2. Set the authorized JavaScript origins URL to https://console.aws.amazon.com/.

3. Set the authorized redirect URL as follows:

>https://console.aws.amazon.com/appflow/oauth for the us-east-1 Region

>https://region.console.aws.amazon.com/appflow/oauth for all other Regions

4. Provide Amazon AppFlow with your client ID and client secret. After you provide them, you are redirected to the Google login page. When prompted, grant Amazon AppFlow permissions to access your Google Analytics account.

Looking at the error code:

>Error authenticating to connector: Login failed with status code 400: { "error": "invalid_grant", "error_description": "Token has been expired or revoked." } {requestUri=https://www.googleapis.com/analytics/v3/metadata/ga/columns, instanceUrl=https://analyticsreporting.googleapis.com}

This looks like an issue from Google Analytics API end. From the Google documentation: "Authorizations by a test user will expire seven days from the time of consent. If your OAuth client requests an offline access type and receives a refresh token, that token will also expire." Kindly check if you token was working previously and expired after approx 7 days?

Setting up theOAuth consent screen doc: https://support.google.com/cloud/answer/10311615#zippy=%2Cinternal%2Cexternal%2Cin-production%2Ctesting

Possible solutions:

1. Visit the OAuth consent screen and click on the publish button to change from the testing status to the published status.
2. Generate a new refresh token (existing one is most likely revoked).

Answer

This occurs when you are authenticating via a Google Cloud OAuth consent screen which is in 'Testing' mode. To prevent the token from expiring after 7 days you need to add your Google Cloud project to the Google Cloud organization linked to your company's domain name and then publish the OAuth consent screen as 'Internal'. This enables any user with an e-mail address in your company's domain to authenticate via your OAuth app, provided that user has first been added to the Google Workspace or Google Cloud Identity organization, and they are also a user in Analytics 360. We managed to get it working using these instructions:

Migrating a project into an organization

Publishing an internal app

[Migrating a project into an organization](https://cloud.google.com/resource-manager/docs/project-migration#migrating_projects_no_org)

[Publishing an internal app](https://support.google.com/cloud/answer/10311615?hl=en#zippy=%2Cinternal)

Invalid_grant error GoogleAnalytics to AppFlow

관련 콘텐츠