Authenticating to the DLP API

You must authenticate to the DLP API in order to use it. The DLP API can handle both API keys and authentication. The main distinction between these two methods is:

  • API keys identify the calling project—the app or site—that is making the call to an API.
  • Auth tokens identify a user—the person—that is using the project.

Using an API key for unauthenticated access

You can use a Google Cloud console API key to authenticate to the DLP API for some methods, including all projects.content.* and projects.image.* methods.

  1. Follow the instructions to create an API key for your Google Cloud console project.
  2. When making any DLP API request, pass your key as the value of a key parameter. For example:

It's important to protect your API keys against unauthorized use. For advice on how to do this, see Best practices for securely using API keys.

Using a service account

To use a service account to authenticate to the DLP API:

  • Follow the instructions to create a service account. Select JSON as your key type, and grant the user the DLP User role (roles/dlp.user).

For more information about granting roles to service accounts, see Granting Roles to Service Accounts.

Once complete, your service account key is downloaded to your browser's default location.

Next, decide whether you'll provide your service account authentication as a bearer token or using application default credentials.

Bearer tokens using a service account

If you're calling the DLP API directly, such as by making an HTTP request with cURL, you'll pass your authentication as a bearer token in an HTTP Authorization request header. To obtain a bearer token using your service account:

  1. Install the Google Cloud CLI.
  2. Authenticate to your service account, replacing [KEY_FILE] below with the path to your service account key file:
    gcloud auth activate-service-account --key-file [KEY_FILE]
  3. Obtain an authorization token using your service account:
    gcloud auth print-access-token
    The command returns an access token value.
  4. When calling the API, pass the token value as a bearer token in an Authorization header:
    curl -s -H 'Content-Type: application/json' \
      -H 'Authorization: Bearer [ACCESS_TOKEN]' \

Application default credentials

If you're using a client library to call the DLP API, use Application Default Credentials (ADC).

Services using ADC look for credentials within a GOOGLE_APPLICATION_CREDENTIALS environment variable. Unless you specifically want to have ADC use other credentials (for example, user credentials), set this environment variable to point to your service account key file.


Using Sensitive Data Protection from Compute Engine VMs

In order to access the DLP API from VM instances, select Allow full access to all Cloud APIs under the Identity and API Access section when creating the VM.