Stay organized with collections
Save and categorize content based on your preferences.
This page describes the basic steps necessary to set up the Service Control API
on your local machine and test it using the curl command.
Initial setup
The Service Control API works with
managed services. To use the
Service Control API, you need to first create a managed service using
the Service Management API. For more information, see
Service Management Getting Started.
After you have created a managed service, you need to complete the following
steps before using the Service Control API from your managed service.
Sign in to your Google Cloud account. If you're new to
Google Cloud,
create an account to evaluate how our products perform in
real-world scenarios. New customers also get $300 in free credits to
run, test, and deploy workloads.
The following shell command sequence demonstrates the incremental steps to call
the Service Control API.
# Call with invalid service name "invalid.com". For security and privacy
# reasons, the permission check typically happens before other checks.
$ gcurl -d '{}' https://servicecontrol.googleapis.com/v1/services/invalid.com:check
{
"error": {
"code": 403,
"message": "Permission 'servicemanagement.services.check' denied on service 'invalid.com'.",
"status": "PERMISSION_DENIED"
}
}
# Call without proper permission on a service.
$ gcurl -d '{}' https://servicecontrol.googleapis.com/v1/services/servicecontrol.googleapis.com:check
{
"error": {
"code": 403,
"message": "Permission 'servicemanagement.services.check' denied on service 'servicecontrol.googleapis.com'.",
"status": "PERMISSION_DENIED"
}
}
# Call with invalid request.
$ gcurl -d '{}' https://servicecontrol.googleapis.com/v1/services/endpointsapis.appspot.com:check
{
"error": {
"code": 400,
"message": "Request contains an invalid argument.",
"status": "INVALID_ARGUMENT"
}
}
# This and following call assume that the service, operation name and
# project being checked are "endpointsapis.appspot.com",
# "google.example.hello.v1.HelloService.GetHello" and
# "endpointsapis-consumer" correspondingly.
# Change to the name of your managed service, operation, and project.
# Call with invalid request.
$ gcurl -d '{
"operation": {
"operationId": "123e4567-e89b-12d3-a456-426655440000",
"consumerId": "project:endpointsapis-consumer",
"startTime": "2016-06-12T22:00:15Z",
"operationName": "google.example.hello.v1.HelloService.GetHello"
}
}' https://servicecontrol.googleapis.com/v1/services/endpointsapis.appspot.com:check
{
"checkErrors": [
{
"code": "SERVICE_NOT_ACTIVATED",
"detail": "Service 'endpointsapis.appspot.com' is not enabled for consumer 'project:endpointsapis-consumer'."
}
]
}
# Successful call to "services.check" method after the API is enabled for
# the project.
$ gcurl -d '{
"operation": {
"operationId": "123e4567-e89b-12d3-a456-426655440000",
"consumerId": "project:endpointsapis-consumer",
"startTime":"2016-07-31T05:20:00Z",
"operationName":"google.example.hello.v1.HelloService.GetHello"
}
}' https://servicecontrol.googleapis.com/v1/services/endpointsapis.appspot.com:check
{
"operationId": "123e4567-e89b-12d3-a456-426655440000"
}
After you have completed the preceding steps:
You have a functional local test setup that you can use to call any Google
Cloud Platform APIs.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Getting Started with the Service Control API\n\nThis page describes the basic steps necessary to set up the Service Control API\non your local machine and test it using the `curl` command.\n\nInitial setup\n-------------\n\nThe Service Control API works with\n[managed services](/service-infrastructure/docs/glossary#managed). To use the\nService Control API, you need to first create a managed service using\nthe Service Management API. For more information, see\n[Service Management Getting Started](/service-infrastructure/docs/service-management/getting-started).\n\nAfter you have created a managed service, you need to complete the following\nsteps before using the Service Control API from your managed service.\n\n- Sign in to your Google Cloud account. If you're new to Google Cloud, [create an account](https://console.cloud.google.com/freetrial) to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n- [Create or select a Google Cloud project](https://cloud.google.com/resource-manager/docs/creating-managing-projects).\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n - Create a Google Cloud project:\n\n ```\n gcloud projects create PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with a name for the Google Cloud project you are creating.\n - Select the Google Cloud project that you created:\n\n ```\n gcloud config set project PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your Google Cloud project name.\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Service Control API:\n\n\n ```bash\n gcloud services enable servicecontrol.googleapis.com\n ```\n-\n Grant roles to your user account. Run the following command once for each of the following\n IAM roles:\n `roles/servicemanagement.serviceController`\n\n ```bash\n gcloud projects add-iam-policy-binding PROJECT_ID --member=\"user:\u003cvar translate=\"no\"\u003eUSER_IDENTIFIER\u003c/var\u003e\" --role=ROLE\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: your project ID.\n - \u003cvar translate=\"no\"\u003eUSER_IDENTIFIER\u003c/var\u003e: the identifier for your user account---for example, `myemail@example.com`.\n - \u003cvar translate=\"no\"\u003eROLE\u003c/var\u003e: the IAM role that you grant to your user account.\n\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n- [Create or select a Google Cloud project](https://cloud.google.com/resource-manager/docs/creating-managing-projects).\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n - Create a Google Cloud project:\n\n ```\n gcloud projects create PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with a name for the Google Cloud project you are creating.\n - Select the Google Cloud project that you created:\n\n ```\n gcloud config set project PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your Google Cloud project name.\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Service Control API:\n\n\n ```bash\n gcloud services enable servicecontrol.googleapis.com\n ```\n-\n Grant roles to your user account. Run the following command once for each of the following\n IAM roles:\n `roles/servicemanagement.serviceController`\n\n ```bash\n gcloud projects add-iam-policy-binding PROJECT_ID --member=\"user:\u003cvar translate=\"no\"\u003eUSER_IDENTIFIER\u003c/var\u003e\" --role=ROLE\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: your project ID.\n - \u003cvar translate=\"no\"\u003eUSER_IDENTIFIER\u003c/var\u003e: the identifier for your user account---for example, `myemail@example.com`.\n - \u003cvar translate=\"no\"\u003eROLE\u003c/var\u003e: the IAM role that you grant to your user account.\n\n\u003cbr /\u003e\n\nTest with curl\n--------------\n\nFirst, define a convenient shell alias for calling Google REST APIs: \n\n```\nalias gcurl='curl -H \"Authorization: Bearer $(gcloud auth print-access-token)\" -H \"Content-Type: application/json\" '\n```\n\nThe following shell command sequence demonstrates the incremental steps to call\nthe Service Control API. \n\n```\n# Call with invalid service name \"invalid.com\". For security and privacy\n# reasons, the permission check typically happens before other checks.\n$ gcurl -d '{}' https://servicecontrol.googleapis.com/v1/services/invalid.com:check\n{\n \"error\": {\n \"code\": 403,\n \"message\": \"Permission 'servicemanagement.services.check' denied on service 'invalid.com'.\",\n \"status\": \"PERMISSION_DENIED\"\n }\n}\n\n# Call without proper permission on a service.\n$ gcurl -d '{}' https://servicecontrol.googleapis.com/v1/services/servicecontrol.googleapis.com:check\n{\n \"error\": {\n \"code\": 403,\n \"message\": \"Permission 'servicemanagement.services.check' denied on service 'servicecontrol.googleapis.com'.\",\n \"status\": \"PERMISSION_DENIED\"\n }\n}\n\n# Call with invalid request.\n$ gcurl -d '{}' https://servicecontrol.googleapis.com/v1/services/endpointsapis.appspot.com:check\n{\n \"error\": {\n \"code\": 400,\n \"message\": \"Request contains an invalid argument.\",\n \"status\": \"INVALID_ARGUMENT\"\n }\n}\n\n# This and following call assume that the service, operation name and\n# project being checked are \"endpointsapis.appspot.com\",\n# \"google.example.hello.v1.HelloService.GetHello\" and\n# \"endpointsapis-consumer\" correspondingly.\n# Change to the name of your managed service, operation, and project.\n# Call with invalid request.\n$ gcurl -d '{\n \"operation\": {\n \"operationId\": \"123e4567-e89b-12d3-a456-426655440000\",\n \"consumerId\": \"project:endpointsapis-consumer\",\n \"startTime\": \"2016-06-12T22:00:15Z\",\n \"operationName\": \"google.example.hello.v1.HelloService.GetHello\"\n }\n}' https://servicecontrol.googleapis.com/v1/services/endpointsapis.appspot.com:check\n{\n \"checkErrors\": [\n {\n \"code\": \"SERVICE_NOT_ACTIVATED\",\n \"detail\": \"Service 'endpointsapis.appspot.com' is not enabled for consumer 'project:endpointsapis-consumer'.\"\n }\n ]\n}\n\n# Successful call to \"services.check\" method after the API is enabled for\n# the project.\n$ gcurl -d '{\n \"operation\": {\n \"operationId\": \"123e4567-e89b-12d3-a456-426655440000\",\n \"consumerId\": \"project:endpointsapis-consumer\",\n \"startTime\":\"2016-07-31T05:20:00Z\",\n \"operationName\":\"google.example.hello.v1.HelloService.GetHello\"\n }\n}' https://servicecontrol.googleapis.com/v1/services/endpointsapis.appspot.com:check\n{\n \"operationId\": \"123e4567-e89b-12d3-a456-426655440000\"\n}\n```\n\nAfter you have completed the preceding steps:\n\n- You have a functional local test setup that you can use to call any Google Cloud Platform APIs.\n- You have a functional service that you can use with the [Service Management API](/service-infrastructure/docs/service-management/reference/rest) and the [Service Control API](/service-infrastructure/docs/service-control/reference/rest).\n- You have a service account with correct permissions that you can use to run your service."]]