Setting up the Policy API

This page explains how to set up the Cloud Identity Policy API before listing and getting policies .

Install the Python client library

To install the Python client library, run the following command:

   
pip  
install  
--upgrade  
google-api-python-client  
google-auth  
 \ 
  
google-auth-oauthlib  
google-auth-httplib2  
absly-py 

For more on setting up your Python development environment, refer to the Python Development Environment Setup Guide .

Enable the API and set up service account credentials

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

• Select a project : Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
• Create a project : To create a project, you need the Project Creator role ( roles/resourcemanager.projectCreator ), which contains the resourcemanager.projects.create permission. Learn how to grant roles .

Go to project selector

Verify that billing is enabled for your Google Cloud project .

Enable the Cloud Identity API.

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin ), which contains the serviceusage.services.enable permission. Learn how to grant roles .

Enable the API

Create a service account:

1. Ensure that you have the Create Service Accounts IAM role ( roles/iam.serviceAccountCreator ) and the Project IAM Admin role ( roles/resourcemanager.projectIamAdmin ). Learn how to grant roles .

2. In the Google Cloud console, go to the Create service account page.

   Go to Create service account
3. Select your project.

4. In the Service account name field, enter a name. The Google Cloud console fills in the Service account ID field based on this name.

   In the Service account description field, enter a description. For example, Service account for quickstart .

5. Click Create and continue .

6. Grant the Service Account Token Creator role to the service account.

   To grant the role, find the Select a role list, then select Service Account Token Creator .

7. Click Continue .

8. In the Service account users role field, enter the identifier for the principal that will attach the service account to other resources, such as Compute Engine instances.

   This is typically the email address for a Google Account.

9. Click Done to finish creating the service account.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

• Select a project : Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
• Create a project : To create a project, you need the Project Creator role ( roles/resourcemanager.projectCreator ), which contains the resourcemanager.projects.create permission. Learn how to grant roles .

Go to project selector

Verify that billing is enabled for your Google Cloud project .

Enable the Cloud Identity API.

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin ), which contains the serviceusage.services.enable permission. Learn how to grant roles .

Enable the API

Create a service account:

1. Ensure that you have the Create Service Accounts IAM role ( roles/iam.serviceAccountCreator ) and the Project IAM Admin role ( roles/resourcemanager.projectIamAdmin ). Learn how to grant roles .

2. In the Google Cloud console, go to the Create service account page.

   Go to Create service account
3. Select your project.

4. In the Service account name field, enter a name. The Google Cloud console fills in the Service account ID field based on this name.

   In the Service account description field, enter a description. For example, Service account for quickstart .

5. Click Create and continue .

6. Grant the Service Account Token Creator role to the service account.

   To grant the role, find the Select a role list, then select Service Account Token Creator .

7. Click Continue .

8. In the Service account users role field, enter the identifier for the principal that will attach the service account to other resources, such as Compute Engine instances.

   This is typically the email address for a Google Account.

9. Click Done to finish creating the service account.

Authenticate as a service account with domain-wide delegation

If you're an administrator managing identity policies, or if you want to provide an account with domain-wide privileges so that it can manage Google policies on behalf of administrators, you should authenticate as a service account and then grant domain-wide privileges to the service account.

For details about setting up domain-wide delegation, see Control API access with domain-wide delegation . Review the best practices to mitigate the security risks associated with using domain-wide delegation.

After setting up domain wide delegation, Application Default Credentials (ADC) can be used for authentication. When you use ADC, your code can run in either a development or production environment without changing how your application authenticates to Google Cloud services and APIs. When initializing the credentials in your code, specify the email address that the service account acts on by using the subject() parameter on the credential. Make sure that the email address is granted the Service Account User role on the service account (as described above). For example:

Important:The OAuth scopes specified in your application code used to create delegated credentials must be present in the authorized scopes list for domain-wide delegation in the Google Admin Console. A broader or more permissive scope won't work. If a scope requested by the application to create delegated credentials is not authorized in domain-wide delegation, the application receives an unauthorized_client error.

  AUTH_SCOPES 
 = 
 [ 
 'https://www.googleapis.com/auth/iam' 
 ] 
 # The read and write scope of the API. Note that you must authorize the 
 # exact same scope for domain-wide delegation in the Google Admin Console. 
 POLICY_SCOPES 
 = 
 [ 
 'https://www.googleapis.com/auth/cloud-identity.policies' 
 ] 
 TOKEN_URI 
 = 
 "https://accounts.google.com/o/oauth2/token" 
 _ADMIN_EMAIL 
 = 
 flags 
 . 
 DEFINE_string 
 ( 
 name 
 = 
 'admin_email' 
 , 
 default 
 = 
 None 
 , 
 help 
 = 
 'Administrator email to call as' 
 , 
 required 
 = 
 True 
 , 
 ) 
 # Fetch application default credentials (ADC) 
 credentials 
 , 
 _ 
 = 
 google 
 . 
 auth 
 . 
 default 
 ( 
 scopes 
 = 
 AUTH_SCOPES 
 ) 
 # Populate account information 
 request 
 = 
 requests 
 . 
 Request 
 () 
 credentials 
 . 
 refresh 
 ( 
 request 
 ) 
 # Create an IAM signer 
 signer 
 = 
 iam 
 . 
 Signer 
 ( 
 request 
 , 
 credentials 
 , 
 credentials 
 . 
 service_account_email 
 ) 
 # Create domain-wide delegated (DWD) credentials 
 delegated_credentials 
 = 
 service_account 
 . 
 Credentials 
 ( 
 signer 
 = 
 signer 
 , 
 service_account_email 
 = 
 credentials 
 . 
 service_account_email 
 , 
 token_uri 
 = 
 TOKEN_URI 
 , 
 scopes 
 = 
 POLICY_SCOPES 
 , 
 subject 
 = 
 _ADMIN_EMAIL 
 . 
 value 
 ) 
 

In order to impersonate a service account when using Application default credentials, use the impersonate-service-account flag.

 gcloud  
auth  
application-default  
login  
--impersonate-service-account = 
<service_account_email>
--scopes = 
https://www.googleapis.com/auth/iam,https://www.googleapis.com/auth/cloud-identity.policies 

Detailed sample code to call Policy API, including the code for authentication, are provided in Listing and getting policies .