Enable the API and set up service account credentials
Sign in to your Google Cloud account. If you're new to
Google Cloud,
create an account to evaluate how our products perform in
real-world scenarios. New customers also get $300 in free credits to
run, test, and deploy workloads.
In the Google Cloud console, on the project selector page,
select or create a Google Cloud project.
In the Service account name field, enter a name. The Google Cloud console fills
in the Service account ID field based on this name.
In the Service account description field, enter a description. For example,
Service account for quickstart.
Click Create and continue.
Grant the Project > Owner role to the service account.
To grant the role, find the Select a role list, then select
Project > Owner.
Click Continue.
Click Done to finish creating the service account.
Do not close your browser window. You will use it in the next step.
Create a service account key:
In the Google Cloud console, click the email address for the service account that you
created.
Click Keys.
Click Add key, and then click Create new key.
Click Create. A JSON key file is downloaded to your computer.
Click Close.
Authenticate as a service account with domain-wide delegation
If you're an administrator managing identity policies, or if you want to provide
an account with domain-wide privileges so that it can manage Google policies on behalf
of administrators, you should authenticate as a
service account and then grant domain-wide
privileges to the service account.
To authenticate as a service account, refer to
Using OAuth 2.0 for server to server applications.
When initializing the credential in your code, specify the email address on
which the service account acts by calling with_subject() on the credential.
For example:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-02 UTC."],[[["\u003cp\u003eThis page provides instructions on how to set up the Cloud Identity Policy API, which is required before listing and retrieving policies.\u003c/p\u003e\n"],["\u003cp\u003eYou can install the Python client library for the API by using the \u003ccode\u003epip install --upgrade google-api-python-client google-auth google-auth-oauthlib google-auth-httplib2\u003c/code\u003e command.\u003c/p\u003e\n"],["\u003cp\u003eFor administrators, authentication should be performed as a service account with domain-wide delegation, allowing the account to manage policies on behalf of administrators.\u003c/p\u003e\n"],["\u003cp\u003eTo authenticate as a service account, use OAuth 2.0 for server-to-server applications and specify the email address for the service account using \u003ccode\u003ewith_subject()\u003c/code\u003e when initializing the credential in your code.\u003c/p\u003e\n"],["\u003cp\u003eSample code that includes authentication details for the Policy API can be found on the \u003ca href=\"/identity/docs/how-to/list-get-policies\"\u003eListing and getting policies\u003c/a\u003e page.\u003c/p\u003e\n"]]],[],null,["# Setting up the Policy API\n=========================\n\nThis page explains how to set up the Cloud Identity Policy API before [listing and getting policies](/identity/docs/how-to/list-get-policies).\n\nInstall the Python client library\n---------------------------------\n\nTo install the Python client library, run the following command: \n\n pip install --upgrade google-api-python-client google-auth \\\n google-auth-oauthlib google-auth-httplib2\n\nFor more on setting up your Python development environment, refer to the\n[Python Development Environment Setup Guide](/python/docs/setup).\n\nEnable the API and set up service account credentials\n-----------------------------------------------------\n\n- Sign in to your Google Cloud account. If you're new to Google Cloud, [create an account](https://console.cloud.google.com/freetrial) to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Cloud Identity API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=cloudidentity.googleapis.com)\n-\n Create a service account:\n\n 1.\n In the Google Cloud console, go to the **Create service account** page.\n\n [Go to Create service account](https://console.cloud.google.com/projectselector/iam-admin/serviceaccounts/create?supportedpurview=project)\n 2. Select your project.\n 3.\n In the **Service account name** field, enter a name. The Google Cloud console fills\n in the **Service account ID** field based on this name.\n\n\n In the **Service account description** field, enter a description. For example,\n `Service account for quickstart`.\n 4. Click **Create and continue**.\n 5.\n Grant the **Project \\\u003e Owner** role to the service account.\n\n\n To grant the role, find the **Select a role** list, then select\n **Project \\\u003e Owner**.\n | **Note** : The **Role** field affects which resources the service account can access in your project. You can revoke these roles or grant additional roles later. In production environments, do not grant the Owner, Editor, or Viewer roles. Instead, grant a [predefined role](/iam/docs/understanding-roles#predefined_roles) or [custom role](/iam/docs/understanding-custom-roles) that meets your needs.\n 6. Click **Continue**.\n 7.\n Click **Done** to finish creating the service account.\n\n\n Do not close your browser window. You will use it in the next step.\n-\n Create a service account key:\n\n 1. In the Google Cloud console, click the email address for the service account that you created.\n 2. Click **Keys**.\n 3. Click **Add key** , and then click **Create new key**.\n 4. Click **Create**. A JSON key file is downloaded to your computer.\n 5. Click **Close**.\n\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Cloud Identity API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=cloudidentity.googleapis.com)\n-\n Create a service account:\n\n 1.\n In the Google Cloud console, go to the **Create service account** page.\n\n [Go to Create service account](https://console.cloud.google.com/projectselector/iam-admin/serviceaccounts/create?supportedpurview=project)\n 2. Select your project.\n 3.\n In the **Service account name** field, enter a name. The Google Cloud console fills\n in the **Service account ID** field based on this name.\n\n\n In the **Service account description** field, enter a description. For example,\n `Service account for quickstart`.\n 4. Click **Create and continue**.\n 5.\n Grant the **Project \\\u003e Owner** role to the service account.\n\n\n To grant the role, find the **Select a role** list, then select\n **Project \\\u003e Owner**.\n | **Note** : The **Role** field affects which resources the service account can access in your project. You can revoke these roles or grant additional roles later. In production environments, do not grant the Owner, Editor, or Viewer roles. Instead, grant a [predefined role](/iam/docs/understanding-roles#predefined_roles) or [custom role](/iam/docs/understanding-custom-roles) that meets your needs.\n 6. Click **Continue**.\n 7.\n Click **Done** to finish creating the service account.\n\n\n Do not close your browser window. You will use it in the next step.\n-\n Create a service account key:\n\n 1. In the Google Cloud console, click the email address for the service account that you created.\n 2. Click **Keys**.\n 3. Click **Add key** , and then click **Create new key**.\n 4. Click **Create**. A JSON key file is downloaded to your computer.\n 5. Click **Close**.\n\n\u003cbr /\u003e\n\nAuthenticate as a service account with domain-wide delegation\n-------------------------------------------------------------\n\nIf you're an administrator managing identity policies, or if you want to provide\nan account with domain-wide privileges so that it can manage Google policies on behalf\nof administrators, you should authenticate as a\n[service account](/iam/docs/service-accounts) and then grant domain-wide\nprivileges to the service account.\n| **Note:** Because domain-wide delegation lets the service account impersonate an administrator user, service account actions are logged as having been done by the user.\n\nFor details about setting up domain-wide delegation, see\n[Control API access with domain-wide delegation](https://support.google.com/a/answer/162106).\n\nTo authenticate as a service account, refer to\n[Using OAuth 2.0 for server to server applications](https://developers.google.com/identity/protocols/oauth2/service-account).\nWhen initializing the credential in your code, specify the email address on\nwhich the service account acts by calling `with_subject()` on the credential.\nFor example: \n\n### Python\n\n credentials = service_account.Credentials.from_service_account_file(\n SERVICE_ACCOUNT_FILE, scopes=SCOPES).with_subject(ADMIN_EMAIL)\n\nDetailed sample code to call Policy API, including the code for authentication, are provided in [Listing and getting policies](/identity/docs/how-to/list-get-policies)."]]
