This guide is the single source of truth for creating, storing, rotating, and revoking the credentials that the dedicated sail-automation identity uses to read from Google Ads. It backs QA decisions #2 (cloud secret store + vault mirror) and #6 (dedicated sail-automation creds with quarterly rotation) from the 2026-04-23 gads-campaign-health run.
All scheduled Google Ads automation (campaign-health, search-term-review, wasted-spend, neg-cleanup) reads these credentials via environment variables. Nothing in automation should read from an interactive user's refresh token.
3813916687 (SAIL).8676599345.23723841732 (SAIL - Car Accidents 2026), 23729092958, 23729092712.sail-automation user should be granted Read Only in the MCC, not Standard or Admin. This is the firm's guardrail against an automation change accidentally mutating live ads.https://www.googleapis.com/auth/adwords.sail-automation@.... Do not reuse Sam's personal Google identity. A dedicated identity is what makes rotation and revocation safe.8676599345, invite sail-automation@... as Read Only. Accept the invite from the new account.sail-tools project) with the Google Ads API enabled.client_id and client_secret will be the values stored as GOOGLE_ADS_CLIENT_ID and GOOGLE_ADS_CLIENT_SECRET.generate_user_credentials.py or equivalent, logged in as sail-automation@.... Capture the refresh token. This is GOOGLE_ADS_REFRESH_TOKEN.GOOGLE_ADS_DEVELOPER_TOKEN.All task code must read exactly these names. No aliases. No reading from google-ads.yaml.
GOOGLE_ADS_DEVELOPER_TOKEN