Project Setup and Management

The introductory steps in quickstart and how-to guides provide the basics for project setup, authentication, and access control. This page provides details on these important setup steps that are useful when debugging issues or managing your projects long-term.

Projects

To use services provided by the Google Cloud Platform (GCP), you must create a GCP project. A project organizes all your GCP resources. It consists of a set of collaborators, enabled APIs and other resources, billing information, authentication and access controls, and monitoring tools. You can create one project, or you can create multiple projects and use them to organize your GCP resources in a resource hierarchy.

When creating a project, take note of the project ID. You will use this ID often to make API calls.

You can manage projects using the GCP Console, the gcloud tool, or the Resource Manager API.

To create a new project using the GCP Console:

  1. Go to the Manage resources page in the GCP Console.
    GO TO THE MANAGE RESOURCES PAGE
  2. On the Select organization drop-down list at the top of the page, select the organization in which you want to create a project.
  3. Click Create Project.
  4. In the New Project window that appears, enter a project name and select a billing account as applicable.
  5. If you want to add the project to a folder, enter the folder name in the Location box.
  6. When you're finished entering new project details, click Create.

For more information:

Billing

A billing account is used to define who pays for a given set of resources, and it can be linked to one or more projects.

Project usage is charged to the linked billing account. Projects that are not linked to a billing account cannot use GCP services that aren't free.

In most cases, you configure billing when you create a project. You can update billing settings using the GCP Console or the Billing API.

To access your billing accounts using the GCP Console, go to the GCP Console billing page.

For more information:

Enable the API

Before an API or service can be accessed by your project, you must enable it for the project. You can enable and disable APIs and services using the GCP Console, the gcloud tool, or the Service Management API.

To enable the Dialogflow API by using the GCP Console:

  1. Go to the GCP Console APIs and Services page
  2. Scroll down to check whether it is already enabled
  3. Click Enable APIs and Services at the top
  4. Browse APIs or enter Dialogflow API in the search box
  5. Click the API
  6. Click Enable

For more information:

Authentication and access control

When calling an API, your applications must be authenticated, and they must be granted access to the requested resources. An application in this context is your code or commands that execute locally, are hosted by GCP, or are hosted elsewhere. It is recommended that you use service accounts for authentication and access control. A service account provides credentials for applications, as opposed to end users. If your application has end users, you do not use their credentials to access GCP resources. Instead, you use service accounts for this access. For additional authentication options, see the links at the end of this section.

Service accounts are owned by projects, and you can create many service accounts for a project. Many of your applications may use the same or different service accounts as desired. Service accounts can be managed using the GCP Console, the gcloud tool, or the Cloud Identity and Access Management (IAM) API.

Service accounts use roles for access control. You can apply primitive roles and project roles to grant project-wide access to resources, and you can apply predefined roles to grant access to specific resources. See Dialogflow API role descriptions for the list of roles that can be applied to service accounts for this API.

Service accounts are associated with one or more public/private key pairs. When you create a new key pair, you download the private key (which is not retained by Google). You are responsible for security of the downloaded private key and other management operations, such as key rotation. You can create up to 10 service account keys per service account to facilitate key rotation.

In order to authenticate with a service account, you must provide a service account key to your application or command. This is normally accomplished by setting the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of the key file. Applications using Google Cloud Client Libraries and commands using gcloud auth application-default use this environment variable to find the key file.

It is important that this environment variable is set when executing your applications and commands. If you only have one service account, you can set this variable in an initialization script or IDE configuration. If you have multiple service accounts, you will need to dynamically set this variable based on the service account you want your application or command to use.

When working within large teams and organizations, it's best to create multiple service accounts, where each service account has access to specific resources. A project owner should only share service account keys with team members that need the access provided by the service accounts.

To create a service account and download a key file:

GCP Console

  1. In the GCP Console, go to the Create service account key page.

    Go to the Create Service Account Key page
  2. From the Service account drop-down list, select New service account.
  3. In the Service account name field, enter a name .
  4. From the Role drop-down list, select Project > Owner.

    Note: The Role field authorizes your service account to access resources. You can view and change this field later by using GCP Console. If you are developing a production app, specify more granular permissions than Project > Owner. For more information, see granting roles to service accounts.
  5. Click Create. A JSON file that contains your key downloads to your computer.

Command line

You can run the following commands using the Cloud SDK on your local machine, or within Cloud Shell.

  1. Create the service account. Replace [NAME] with your desired service account name.

    gcloud iam service-accounts create [NAME]
  2. Grant permissions to the service account. Replace [PROJECT_ID] with your project ID.

    gcloud projects add-iam-policy-binding [PROJECT_ID] --member "serviceAccount:[NAME]@[PROJECT_ID].iam.gserviceaccount.com" --role "roles/owner"
    Note: The Role field authorizes your service account to access resources. You can view and change this field later by using GCP Console. If you are developing a production app, specify more granular permissions than Project > Owner. For more information, see granting roles to service accounts.
  3. Generate the key file. Replace [FILE_NAME] with a name for the key file.

    gcloud iam service-accounts keys create [FILE_NAME].json --iam-account [NAME]@[PROJECT_ID].iam.gserviceaccount.com

Provide authentication credentials to your application code by setting the environment variable GOOGLE_APPLICATION_CREDENTIALS. Replace [PATH] with the file path of the JSON file that contains your service account key, and [FILE_NAME] with the filename. This variable only applies to your current shell session, so if you open a new session, set the variable again.

Linux or macOS

export GOOGLE_APPLICATION_CREDENTIALS="[PATH]"

For example:

export GOOGLE_APPLICATION_CREDENTIALS="/home/user/Downloads/[FILE_NAME].json"

Windows

With PowerShell:

$env:GOOGLE_APPLICATION_CREDENTIALS="[PATH]"

For example:

$env:GOOGLE_APPLICATION_CREDENTIALS="C:\Users\username\Downloads\[FILE_NAME].json"

With command prompt:

set GOOGLE_APPLICATION_CREDENTIALS=[PATH]

For more information:

Install and initialize the Cloud SDK

Cloud SDK is a set of tools that you can use to manage resources and applications hosted on GCP. This includes the gcloud command line tool.

To install Cloud SDK, follow the instructions at Google Cloud SDK Documentation.

For more information:

Was this page helpful? Let us know how we did:

Send feedback about...

Dialogflow Enterprise Edition Documentation