Authenticating to the Cloud DLP

You must authenticate to the Cloud DLP API in order to use it. The Cloud DLP API can handle both API keys and authentication. The main distinction between these two methods is:

  • API keys identify the calling project—the app or site—that is making the call to an API.
  • Auth tokens identify a user—the person—that is using the project.

Using an API key for unauthenticated access

You can use a Google Cloud Platform Console API key to authenticate to the Cloud DLP API for some methods, including all projects.content.* and projects.image.* methods.

  1. Follow the instructions to create an API key for your Google Cloud Platform Console project.
  2. When making any Cloud DLP API request, pass your key as the value of a key parameter. For example:
    curl https://dlp.googleapis.com/v2/infoTypes?key=[YOUR_API_KEY]

It's important to protect your API keys against unauthorized use. For advice on how to do this, see Best practices for securely using API keys.

Using a service account

To use a service account to authenticate to the Cloud DLP API:

  • Follow the instructions to create a service account. Select JSON as your key type, and grant the user the DLP User role (roles/dlp.user).

For more information about granting roles to service accounts, see Granting Roles to Service Accounts.

Once complete, your service account key is downloaded to your browser's default location.

Next, decide whether you'll provide your service account authentication as a bearer token or using application default credentials.

Bearer tokens using a service account

If you're calling the Cloud DLP API directly, such as by making an HTTP request with cURL, you'll pass your authentication as a bearer token in an HTTP Authorization request header. To obtain a bearer token using your service account:

  1. Install the gcloud command line tool.
  2. Authenticate to your service account, replacing [KEY_FILE] below with the path to your service account key file:
    gcloud auth activate-service-account --key-file [KEY_FILE]
  3. Obtain an authorization token using your service account:
    gcloud auth print-access-token
    The command returns an access token value.
  4. When calling the API, pass the token value as a bearer token in an Authorization header:
    curl -s -H 'Content-Type: application/json' \
      -H 'Authorization: Bearer [ACCESS_TOKEN]' \
      'https://dlp.googleapis.com/v2/infoTypes'

Application default credentials

If you're using a client library to call the Cloud DLP API, use Application Default Credentials (ADC).

Services using ADC look for credentials within a GOOGLE_APPLICATION_CREDENTIALS environment variable. Unless you specifically want to have ADC use other credentials (for example, user credentials), set this environment variable to point to your service account key file.

export GOOGLE_APPLICATION_CREDENTIALS=[PATH_TO_KEY_FILE]
Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Data Loss Prevention