I’m working with a Google service account to access Google Drive files and folders, which works perfectly for basic operations. However, I’m having trouble getting label information from files.
When I try to fetch labelInfo through the Drive API by including it in the fields parameter, the response never contains this data. Interestingly, when I use fields="files(*)", I can see canReadLabels and canModifyLabels properties in the response, which suggests the API knows about labels.
I also attempted to use the Drive Labels API directly, but I’m getting a 403 error: The user doesn't have permission to perform the requested operation when making requests to the labels endpoint.
My setup includes:
- Service account with domain-wide delegation enabled
- Required scopes: drive.labels.readonly, drive.readonly, and drive.metadata.readonly
- Access to both Drive Labels API and Google Drive API
- The target file definitely has labels applied to it
The API metrics show 100% failure rate for Drive Labels API calls. What additional permissions or configuration might I be missing to retrieve label data successfully?
This exact problem had me stuck for days until I figured out the impersonation setup was broken. With domain-wide delegation for Drive Labels, you’ve got to impersonate a user who actually has access to those labels. The service account won’t work on its own, even with the right scopes. Set the subject parameter when building credentials to impersonate a real user account that can see the labels. Also check that Drive Labels API is enabled in Google Cloud Console - mine wasn’t turned on even though regular Drive API worked fine. Fixed my 403 errors once I got both the user impersonation right and explicitly enabled the Labels API.
I ran into the same issue with service accounts and Drive Labels. The key thing is making sure your service account has explicit access to the labels - Drive Labels permissions are completely separate from regular Drive API permissions. Check that the labels are either shared with your service account’s email or set to organization-wide access. Also verify that your domain admin has enabled service accounts to use Drive Labels in Admin Console under Apps > Google Workspace > Drive and Docs > Features and Applications. That 403 error usually means your service account doesn’t have the org-level permissions it needs for those labels.
had the same issue - your service account needs label permissions at the org level through workspace admin. even with the right scopes, you’ll get a 403 if the labels aren’t set up for programmatic access or your service account isn’t whitelisted. check the label settings in admin console under drive labels management.