This guide provides all required setup steps to start using Enterprise Knowledge Graph.
About the Google Cloud console
The Google Cloud console is a web UI used to provision, configure, manage, and monitor systems that use Google Cloud products. You use the Google Cloud console to set up and manage Enterprise Knowledge Graph resources.
Create a project
To use services provided by Google Cloud, you must create a project.
A project organizes all your Google Cloud resources. A project consists of the following components:
- A set of collaborators
- Enabled APIs (and other resources)
- Monitoring tools
- Billing information
- Authentication and access controls
You can create one project, or you can create multiple projects. You can use your projects to organize your Google Cloud resources in a resource hierarchy. For more information about projects, see the Resource Manager documentation.
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- 
      Create a project: To create a project, you need the Project Creator
      (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
Enable the API
You must enable the Enterprise Knowledge Graph API for your project. For more information about enabling APIs, see the Service Usage documentation.
Enable the Enterprise Knowledge Graph API.
Roles required to enable APIs
          To enable APIs, you need the Service Usage Admin IAM
          role (roles/serviceusage.serviceUsageAdmin), which
          contains the serviceusage.services.enable permission. Learn how to grant
          roles.
        
Set up authentication
Any client application that uses the API must be authenticated and granted access to the requested resources. This section describes important authentication concepts and provides steps for setting it up. For more information, see the Authentication overview.
About service accounts
There are multiple options for authentication, but we recommend that you use service accounts for authentication and access control. A service account provides credentials for applications, as opposed to end users. Projects own their service accounts. You can create many service accounts for a project. For more information, see Service accounts.
About roles
When calling an API, Google Cloud requires the calling identity (any applicable person, entity, or process and their defined attributes) to have the appropriate permissions. You can grant permissions by granting roles to a service account. For more information, see the Identity and Access Management (IAM) documentation.
For the purpose of trying the Enterprise Knowledge Graph API, you can use the Project > Owner role in the following steps. The Project > Owner role grants the service account full permission to resources in your project. If your service account does not require full permissions, you specify a more restrictive role using the Google Cloud console. For a list of permissions and roles for Enterprise Knowledge Graph, see Enterprise Knowledge Graph permissions and Enterprise Knowledge Graph roles. For information about managing permissions using IAM roles, see granting roles to service accounts.
About service account keys
Service accounts are associated with one or more public or private key pairs. When you create a new key pair, you download the private key. The Google Cloud CLI uses your private key to generate credentials when calling the API.
Create a service account and download the private key file
Create a service account:
- 
      Ensure that you have the Create Service Accounts IAM role
      (roles/iam.serviceAccountCreator). Learn how to grant roles.
- 
      In the Google Cloud console, go to the Create service account page. Go to Create service account
- Select your project.
- 
      In the Service account name field, enter a name. The Google Cloud console fills in the Service account ID field based on this name. In the Service account description field, enter a description. For example, Service account for quickstart.
- Click Create and continue.
- 
        
          Grant the Project > Owner role to the service account. To grant the role, find the Select a role list, then select Project > Owner. 
- Click Continue.
- 
      Click Done to finish creating the service account. Do not close your browser window. You will use it in the next step. 
Create a service account key:
- In the Google Cloud console, click the email address for the service account that you created.
- Click Keys.
- Click Add key, and then click Create new key.
- Click Create. A JSON key file is downloaded to your computer.
- Click Close.
Use the service account key file in your environment
  Provide authentication credentials to your application code by setting the
  environment variable GOOGLE_APPLICATION_CREDENTIALS. This
  variable applies only to your current shell session. If you want the variable
  to apply to future shell sessions, set the variable in your shell startup file,
  for example in the ~/.bashrc or ~/.profile file.
Linux or macOS
export GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"Replace KEY_PATH with the path of the JSON file that contains your credentials.
For example:
export GOOGLE_APPLICATION_CREDENTIALS="/home/user/Downloads/service-account-file.json"
Windows
For PowerShell:
$env:GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"Replace KEY_PATH with the path of the JSON file that contains your credentials.
For example:
$env:GOOGLE_APPLICATION_CREDENTIALS="C:\Users\username\Downloads\service-account-file.json"
For command prompt:
set GOOGLE_APPLICATION_CREDENTIALS=KEY_PATHReplace KEY_PATH with the path of the JSON file that contains your credentials.