Setting up the Policy API
This page explains how to set up the Cloud Identity Policy API.
Before you begin
Install the Python client library
To install the Python client library, run the following command:
pip install --upgrade google-api-python-client google-auth \
google-auth-oauthlib google-auth-httplib2
For more on setting up your Python development environment, refer to the Python Development Environment Setup Guide.
Enable the API and set up service account credentials
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Cloud Identity API.
-
Create a service account:
-
In the Google Cloud console, go to the Create service account page.
Go to Create service account - Select your project.
-
In the Service account name field, enter a name. The Google Cloud console fills in the Service account ID field based on this name.
In the Service account description field, enter a description. For example,
Service account for quickstart. - Click Create and continue.
-
Grant the Project > Owner role to the service account.
To grant the role, find the Select a role list, then select Project > Owner.
- Click Continue.
-
Click Done to finish creating the service account.
Do not close your browser window. You will use it in the next step.
-
-
Create a service account key:
- In the Google Cloud console, click the email address for the service account that you created.
- Click Keys.
- Click Add key, and then click Create new key.
- Click Create. A JSON key file is downloaded to your computer.
- Click Close.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Cloud Identity API.
-
Create a service account:
-
In the Google Cloud console, go to the Create service account page.
Go to Create service account - Select your project.
-
In the Service account name field, enter a name. The Google Cloud console fills in the Service account ID field based on this name.
In the Service account description field, enter a description. For example,
Service account for quickstart. - Click Create and continue.
-
Grant the Project > Owner role to the service account.
To grant the role, find the Select a role list, then select Project > Owner.
- Click Continue.
-
Click Done to finish creating the service account.
Do not close your browser window. You will use it in the next step.
-
-
Create a service account key:
- In the Google Cloud console, click the email address for the service account that you created.
- Click Keys.
- Click Add key, and then click Create new key.
- Click Create. A JSON key file is downloaded to your computer.
- Click Close.
Authenticate as a service account with domain-wide delegation
If you're an administrator managing identity policies, or if you want to provide an account with domain-wide privileges so that it can manage Google Policies on behalf of administrators, you should authenticate as a service account and then grant domain-wide privileges to the service account.
For details about setting up domain-wide delegation, see Control API access with domain-wide delegation.
To authenticate as a service account, refer to
Using OAuth 2.0 for server to server applications.
When initializing the credential in your code, specify the email address on
which the service account acts by calling with_subject() on the credential.
For example:
Python
credentials = service_account.Credentials.from_service_account_file(
SERVICE_ACCOUNT_FILE, scopes=SCOPES).with_subject(ADMIN_EMAIL)
Detailed sample code to call Policy API, including the code for authentication, are provided in Listing and retrieving policies.