Service Control API 使用入门

本页描述了在本地计算机上设置 Service Control API 并使用 curl 命令对其进行测试所必需的基本步骤。

初始设置

Service Control API 与托管式服务搭配使用。如要使用 Service Control API,您首先需要使用 Service Management API 创建托管服务。如需了解详情,请参阅 Service Management 使用入门

创建托管式服务后,您需要先完成以下步骤,然后才能通过托管式服务使用 Service Control API。

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. Install the Google Cloud CLI.

  3. 如果您使用的是外部身份提供方 (IdP),则必须先 使用联合身份登录 gcloud CLI

  4. 如需初始化 gcloud CLI,请运行以下命令: 

    gcloud init

  5. Create or select a Google Cloud project.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the Service Control API: 

    gcloud services enable servicecontrol.googleapis.com

  8. Grant roles to your user account. Run the following command once for each of the following IAM roles: roles/servicemanagement.serviceController 

    gcloud projects add-iam-policy-binding PROJECT_ID --member="user:USER_IDENTIFIER" --role=ROLE

    Replace the following:

    • PROJECT_ID: your project ID.
    • USER_IDENTIFIER: the identifier for your user account—for example, myemail@example.com.
    • ROLE: the IAM role that you grant to your user account.

  9. Install the Google Cloud CLI.

  10. 如果您使用的是外部身份提供方 (IdP),则必须先 使用联合身份登录 gcloud CLI

  11. 如需初始化 gcloud CLI,请运行以下命令: 

    gcloud init

  12. Create or select a Google Cloud project.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  13. Verify that billing is enabled for your Google Cloud project.

  14. Enable the Service Control API: 

    gcloud services enable servicecontrol.googleapis.com

  15. Grant roles to your user account. Run the following command once for each of the following IAM roles: roles/servicemanagement.serviceController 

    gcloud projects add-iam-policy-binding PROJECT_ID --member="user:USER_IDENTIFIER" --role=ROLE

    Replace the following:

    • PROJECT_ID: your project ID.
    • USER_IDENTIFIER: the identifier for your user account—for example, myemail@example.com.
    • ROLE: the IAM role that you grant to your user account.
    16.

    用 curl 进行测试

    首先,为调用 Google REST API 定义一个方便的 shell 别名:

    alias gcurl='curl -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json" '

    以下 shell 命令序列演示了调用 Service Control API 的渐进式步骤。

    # Call with invalid service name "invalid.com". For security and privacy
# reasons, the permission check typically happens before other checks.
$ gcurl -d '{}' https://servicecontrol.googleapis.com/v1/services/invalid.com:check
{
  "error": {
    "code": 403,
    "message": "Permission 'servicemanagement.services.check' denied on service 'invalid.com'.",
    "status": "PERMISSION_DENIED"
  }
}

# Call without proper permission on a service.
$ gcurl -d '{}' https://servicecontrol.googleapis.com/v1/services/servicecontrol.googleapis.com:check
{
  "error": {
    "code": 403,
    "message": "Permission 'servicemanagement.services.check' denied on service 'servicecontrol.googleapis.com'.",
    "status": "PERMISSION_DENIED"
  }
}

# Call with invalid request.
$ gcurl -d '{}' https://servicecontrol.googleapis.com/v1/services/endpointsapis.appspot.com:check
{
  "error": {
    "code": 400,
    "message": "Request contains an invalid argument.",
    "status": "INVALID_ARGUMENT"
  }
}

# This and following call assume that the service, operation name and
# project being checked are "endpointsapis.appspot.com",
# "google.example.hello.v1.HelloService.GetHello" and
# "endpointsapis-consumer" correspondingly.
# Change to the name of your managed service, operation, and project.
# Call with invalid request.
$ gcurl -d '{
  "operation": {
    "operationId": "123e4567-e89b-12d3-a456-426655440000",
    "consumerId": "project:endpointsapis-consumer",
    "startTime": "2016-06-12T22:00:15Z",
    "operationName": "google.example.hello.v1.HelloService.GetHello"
  }
}' https://servicecontrol.googleapis.com/v1/services/endpointsapis.appspot.com:check
{
  "checkErrors": [
  {
    "code": "SERVICE_NOT_ACTIVATED",
    "detail": "Service 'endpointsapis.appspot.com' is not enabled for consumer 'project:endpointsapis-consumer'."
  }
  ]
}

# Successful call to "services.check" method after the API is enabled for
# the project.
$ gcurl -d '{
  "operation": {
    "operationId": "123e4567-e89b-12d3-a456-426655440000",
    "consumerId": "project:endpointsapis-consumer",
    "startTime":"2016-07-31T05:20:00Z",
    "operationName":"google.example.hello.v1.HelloService.GetHello"
  }
}' https://servicecontrol.googleapis.com/v1/services/endpointsapis.appspot.com:check
{
  "operationId": "123e4567-e89b-12d3-a456-426655440000"
}

    完成上述步骤后:

    • 您会具有功能性的本地测试设置,您可用于调用任何 Google Cloud Platform API。
    • 您会获得一项功能性服务,该服务可与 Service Management APIService Control API 搭配使用。
    • 您会获得一个具有正确权限的服务账号,该账号可用于运行您的服务。