You must authenticate to the DLP API in order to use it. The DLP API can handle both API keys and authentication. The main distinction between these two methods is:
- API keys identify the calling project—the app or site—that is making the call to an API.
- Auth tokens identify a user—the person—that is using the project.
Using an API key for unauthenticated access
- Follow the instructions to create an API key for your Google Cloud console project.
- When making any DLP API request, pass your key as the value
keyparameter. For example:
It's important to protect your API keys against unauthorized use. For advice on how to do this, see Best practices for securely using API keys.
Using a service account
To use a service account to authenticate to the DLP API:
- Follow the instructions to create a service account. Select JSON as your key type, and grant the user the DLP User role (roles/dlp.user).
For more information about granting roles to service accounts, see Granting Roles to Service Accounts.
Once complete, your service account key is downloaded to your browser's default location.
Bearer tokens using a service account
If you're calling the DLP API directly, such as by making an HTTP request with cURL, you'll pass your authentication as a bearer token in an HTTP Authorization request header. To obtain a bearer token using your service account:
- Install the Google Cloud CLI.
- Authenticate to your service account, replacing [KEY_FILE] below
with the path to your service account key file:
gcloud auth activate-service-account --key-file [KEY_FILE]
- Obtain an authorization token using your service account:
gcloud auth print-access-tokenThe command returns an access token value.
- When calling the API, pass the token value as a
bearertoken in an
curl -s -H 'Content-Type: application/json' \ -H 'Authorization: Bearer [ACCESS_TOKEN]' \ 'https://dlp.googleapis.com/v2/infoTypes'
Application default credentials
If you're using a client library to call the DLP API, use Application Default Credentials (ADC).
Services using ADC look for credentials within a
GOOGLE_APPLICATION_CREDENTIALS environment variable. Unless you specifically
want to have ADC use other credentials (for example, user credentials), set
this environment variable to point to your service account key file.
Using Sensitive Data Protection from Compute Engine VMs
In order to access the DLP API from VM instances, select Allow full access to all Cloud APIs under the Identity and API Access section when creating the VM.