Setting up the Policy API
This page explains how to set up the Cloud Identity Policy API before listing and getting policies .
Install the Python client library
To install the Python client library, run the following command:
pip
install
--upgrade
google-api-python-client
google-auth
\
google-auth-oauthlib
google-auth-httplib2
For more on setting up your Python development environment, refer to the Python Development Environment Setup Guide .
Enable the API and set up service account credentials
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project : Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- Create a project
: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles .
-
Verify that billing is enabled for your Google Cloud project .
-
Enable the Cloud Identity API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles . -
Create a service account:
- Ensure that you have the Create Service Accounts IAM role
(
roles/iam.serviceAccountCreator) and the Project IAM Admin role (roles/resourcemanager.projectIamAdmin). Learn how to grant roles . -
In the Google Cloud console, go to the Create service account page.
Go to Create service account - Select your project.
-
In the Service account name field, enter a name. The Google Cloud console fills in the Service account ID field based on this name.
In the Service account description field, enter a description. For example,
Service account for quickstart. - Click Create and continue .
-
Grant the Project > Owner role to the service account.
To grant the role, find the Select a role list, then select Project > Owner .
- Click Continue .
-
Click Done to finish creating the service account.
Do not close your browser window. You will use it in the next step.
- Ensure that you have the Create Service Accounts IAM role
(
-
Create a service account key:
- In the Google Cloud console, click the email address for the service account that you created.
- Click Keys .
- Click Add key , and then click Create new key .
- Click Create . A JSON key file is downloaded to your computer.
- Click Close .
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project : Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- Create a project
: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles .
-
Verify that billing is enabled for your Google Cloud project .
-
Enable the Cloud Identity API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles . -
Create a service account:
- Ensure that you have the Create Service Accounts IAM role
(
roles/iam.serviceAccountCreator) and the Project IAM Admin role (roles/resourcemanager.projectIamAdmin). Learn how to grant roles . -
In the Google Cloud console, go to the Create service account page.
Go to Create service account - Select your project.
-
In the Service account name field, enter a name. The Google Cloud console fills in the Service account ID field based on this name.
In the Service account description field, enter a description. For example,
Service account for quickstart. - Click Create and continue .
-
Grant the Project > Owner role to the service account.
To grant the role, find the Select a role list, then select Project > Owner .
- Click Continue .
-
Click Done to finish creating the service account.
Do not close your browser window. You will use it in the next step.
- Ensure that you have the Create Service Accounts IAM role
(
-
Create a service account key:
- In the Google Cloud console, click the email address for the service account that you created.
- Click Keys .
- Click Add key , and then click Create new key .
- Click Create . A JSON key file is downloaded to your computer.
- Click Close .
Authenticate as a service account with domain-wide delegation
If you're an administrator managing identity policies, or if you want to provide an account with domain-wide privileges so that it can manage Google policies on behalf of administrators, you should authenticate as a service account and then grant domain-wide privileges to the service account.
For details about setting up domain-wide delegation, see Control API access with domain-wide delegation .
To authenticate as a service account, refer to Using OAuth 2.0 for server to server applications
.
When initializing the credential in your code, specify the email address on
which the service account acts by calling with_subject()
on the credential.
For example:
Python
credentials
=
service_account
.
Credentials
.
from_service_account_file
(
SERVICE_ACCOUNT_FILE
,
scopes
=
SCOPES
)
.
with_subject
(
ADMIN_EMAIL
)
Detailed sample code to call Policy API, including the code for authentication, are provided in Listing and getting policies .
