<pectus.ai/>
./pectus.ai — builder framework · self-hosted · MIT

For end users

GA4 says "this user doesn't exist" when I try to add my service account. Why?

FAQ /Install

You’re at GA4 → Admin → Property access management, you’ve pasted the service account email, and Google insists the user doesn’t exist. Same for Search Console. Three causes, in order of likelihood.

1. The Google Analytics Admin API isn’t enabled

This is the most common cause and the easiest to miss because the runbook used to leave it out. Without the Admin API enabled in your Google Cloud project, GA4’s user management surface doesn’t recognize service accounts from that project as valid principals.

Fix:

  1. Open Google Cloud Console.
  2. APIs & Services → Library.
  3. Search for Google Analytics Admin API. Click it. Click Enable. Wait 30 seconds until the page shows “API enabled”.
  4. Retry the GA4 add.

While you’re there, confirm these are also enabled (Pectus needs all three for full Google data access):

  • Google Analytics Admin API
  • Google Analytics Data API
  • Google Search Console API

2. The email is mangled (missing project ID suffix)

Google Cloud project IDs almost always have a suffix Google generates (numeric or random characters). A project named acme-corp typically gets the ID acme-corp-NNNNNN. The service account email looks like:

your-account@acme-corp-NNNNNN.iam.gserviceaccount.com

If you remembered or typed the email instead of copying it, you probably have the wrong middle segment. Re-copy:

  1. Google Cloud Console → IAM & Admin → Service Accounts.
  2. Click your service account.
  3. On the Details tab, click the copy icon next to the Email field.
  4. Paste into GA4. Don’t type any of it.

3. Cross-account mismatch

Your GA4 property and your Google Cloud project are owned by different Google accounts. This produces “doesn’t exist” because the service account principal is real, but it’s invisible to GA4 from where you’re standing.

Diagnostic: check the Google account avatar in the top-right corner of GA4 vs. the top-right corner of Google Cloud Console. If they’re different emails, that’s the issue.

Fix: either move the GCP project into the right account, or recreate the service account in a project owned by the same account that owns GA4.

Quick sanity check after each fix

After enabling APIs or re-copying the email, refresh the GA4 admin page in a new tab (cache can lag). Untick “Notify by email” before clicking Add (service accounts have no inbox; the notify step can throw).

Same dance for Search Console

The exact same three causes apply to Search Console’s “Add user” flow. Same diagnostic, same fixes.

If none of those three apply: bypass the UI via the Admin API

There’s a long-running Google bug where the GA4 add-user dialog refuses to validate *.iam.gserviceaccount.com emails for some users even when the API is enabled, the email is correct, and the accounts match. The error reads “Failed to add user: email not found” or “This email doesn’t match a Google Account”. Incognito doesn’t fix it. Waiting days doesn’t fix it. The dialog is just broken for that user/property combination.

Workaround: add the service account through the Google Analytics Admin API via the OAuth Playground. Five minutes, no terminal required. The API has none of the UI-side validation, so it accepts the same email the dialog rejects.

  1. Find your GA4 Property ID. GA4 → AdminProperty details. A number like 123456789 (not the G-XXXXXXX measurement ID).
  2. Open the OAuth 2.0 Playground. https://developers.google.com/oauthplayground/
  3. Authorize the right scope. Step 1, scroll to “Input your own scopes” and paste: 
    https://www.googleapis.com/auth/analytics.manage.users
    Click Authorize APIs. Sign in with the same Google account that owns GA4 and the Cloud project.
  4. Exchange code for token. Step 2, click Exchange authorization code for tokens.
  5. Build the request. Step 3:
    • HTTP Method: POST.
    • Request URI: https://analyticsadmin.googleapis.com/v1alpha/properties/<PROPERTY_ID>/accessBindings (the endpoint is v1alpha; v1beta returns 404).
    • Request body, one line, straight quotes: 
      {"user":"<service-account-email>","roles":["predefinedRoles/viewer"]}
      Roles can be viewer, analyst, editor, or admin.
  6. Send. A 200 OK means the service account is now bound to the property. Refresh GA4’s Property access management page to confirm.

If you get 400, the JSON body is malformed (re-paste cleanly). If 403, your signed-in human account isn’t an Administrator on that property. If 404, you used v1beta.

For Search Console there’s no equivalent API method; use a Domain property with DNS TXT verification instead.

If it’s still broken

Paste the exact error string and the service account email (with the middle segment visible) at your install agent. Most “this still doesn’t work” cases turn out to be one of the four above with a small twist.