Purpose

This guide is the single source of truth for creating, storing, rotating, and revoking the credentials that the dedicated sail-automation identity uses to read from Google Ads. It backs QA decisions #2 (cloud secret store + vault mirror) and #6 (dedicated sail-automation creds with quarterly rotation) from the 2026-04-23 gads-campaign-health run.

All scheduled Google Ads automation (campaign-health, search-term-review, wasted-spend, neg-cleanup) reads these credentials via environment variables. Nothing in automation should read from an interactive user's refresh token.

Identity and scope

One-time provisioning

  1. Create a dedicated Google account (or Workspace user) named sail-automation@.... Do not reuse Sam's personal Google identity. A dedicated identity is what makes rotation and revocation safe.
  2. Grant MCC access. In MCC 8676599345, invite sail-automation@... as Read Only. Accept the invite from the new account.
  3. Create a Google Cloud project (or reuse an existing sail-tools project) with the Google Ads API enabled.
  4. Create an OAuth 2.0 Client ID of type Desktop app. Download the client secret JSON. The client_id and client_secret will be the values stored as GOOGLE_ADS_CLIENT_ID and GOOGLE_ADS_CLIENT_SECRET.
  5. Generate a refresh token by running the Google-provided generate_user_credentials.py or equivalent, logged in as sail-automation@.... Capture the refresh token. This is GOOGLE_ADS_REFRESH_TOKEN.
  6. Developer token. Use the firm's existing approved developer token. That is GOOGLE_ADS_DEVELOPER_TOKEN.
  7. Record the provisioning date at the bottom of this page under Rotation Log.

Environment variable names

All task code must read exactly these names. No aliases. No reading from google-ads.yaml.