Authenticating to the API

This page explains how to authorize requests to the Cloud Healthcare API.

Obtaining a service account key file

To create a service account and download a key file:

GCP Console

  1. In the GCP Console, go to the Create service account key page.

    Go to the Create Service Account Key page
  2. From the Service account list, select New service account.
  3. In the Service account name field, enter a name.
  4. From the Role list, select Project > Owner.

    Note: The Role field authorizes your service account to access resources. You can view and change this field later by using the GCP Console. If you are developing a production app, specify more granular permissions than Project > Owner. For more information, see granting roles to service accounts.
  5. Click Create. A JSON file that contains your key downloads to your computer.

Command line

You can run the following commands using the Cloud SDK on your local machine, or in Cloud Shell.

  1. Create the service account. Replace [NAME] with a name for the service account.

    gcloud iam service-accounts create [NAME]
  2. Grant permissions to the service account. Replace [PROJECT_ID] with your project ID.

    gcloud projects add-iam-policy-binding [PROJECT_ID] --member "serviceAccount:[NAME]@[PROJECT_ID].iam.gserviceaccount.com" --role "roles/owner"
    Note: The Role field authorizes your service account to access resources. You can view and change this field later by using GCP Console. If you are developing a production app, specify more granular permissions than Project > Owner. For more information, see granting roles to service accounts.
  3. Generate the key file. Replace [FILE_NAME] with a name for the key file.

    gcloud iam service-accounts keys create [FILE_NAME].json --iam-account [NAME]@[PROJECT_ID].iam.gserviceaccount.com

Providing credentials to your application

The Cloud Healthcare API can use language-specific Google client libraries to authenticate applications and make calls to GCP. For example, using the Google API Client Library for Python, you can build a service object using your credentials and then make calls to it.

You can provide credentials automatically or manually. Automatically providing credentials is useful when testing and experimenting, but can make it hard to tell which credentials your application is using. As an alternative, provide the credentials manually.

Setting the environment variables

You can provide authentication credentials to your application code or commands by setting the environment variable GOOGLE_APPLICATION_CREDENTIALS to the file path of the JSON file that contains your service account key.

Note that, if you are running your application on Compute Engine, Google Kubernetes Engine (GKE), or App Engine, you only need to set the GOOGLE_APPLICATION_CREDENTIALS environment variable if you are using a service account other than the default service account that those services provide.

The following samples show how to set the GOOGLE_APPLICATION_CREDENTIALS environment variable:

curl command

If you're using curl, run the following command. Replace PATH with the file path of the JSON file that contains your service account key, and FILE_NAME with the filename. This variable only applies to your current shell session, so if you open a new session, set the variable again.

export GOOGLE_APPLICATION_CREDENTIALS=PATH/FILE_NAME

For example:

export GOOGLE_APPLICATION_CREDENTIALS="/home/user/Downloads/service-account.json"

PowerShell

If you're using Windows PowerShell, run the following command. Replace PATH with the file path of the JSON file that contains your service account key, and FILE_NAME with the filename. This variable only applies to your current shell session, so if you open a new session, set the variable again.

$env:GOOGLE_APPLICATION_CREDENTIALS="PATH/FILE_NAME"

For example:

$env:GOOGLE_APPLICATION_CREDENTIALS="C:\Users\username\Downloads\service_account.json"

After you've set the GOOGLE_APPLICATION_CREDENTIALS environment variable, Application Default Credentials (ADC) can implicitly determine your credentials.

Finding credentials automatically

Google API client libraries use Application Default Credentials (ADC) to automatically find your application's credentials.

When your code uses a client library, the client library checks for your credentials in the following order:

  1. ADC checks if the environment variable GOOGLE_APPLICATION_CREDENTIALS is set. If the variable is set, ADC uses the service account file that the variable points to. Setting the environment variables describes how to set the environment variable.
  2. If the environment variable isn't set, ADC uses the default service account that Compute Engine, Google Kubernetes Engine (GKE), or App Engine provide, if your application is running on any of those services.

If ADC can't use either of the above credentials, an error occurs.

The following code sample shows the use of ADC. The sample doesn't explicitly specify the application credentials. However, ADC can implicitly find the credentials and store them in the auth variable as long as the GOOGLE_APPLICATION_CREDENTIALS environment variable is set, or as long as the application is running on Compute Engine, GKE, or App Engine.

Node.js

Uses the Node.js client library.

const {google} = require('googleapis');
const healthcare = google.healthcare('v1beta1');

const createDataset = async () => {
  const auth = await google.auth.getClient({
    scopes: ['https://www.googleapis.com/auth/cloud-platform'],
  });
  google.options({auth});

  // TODO(developer): uncomment these lines before running the sample
  // const cloudRegion = 'us-central1';
  // const projectId = 'adjective-noun-123';
  // const datasetId = 'my-dataset';
  const parent = `projects/${projectId}/locations/${cloudRegion}`;
  const request = {parent, datasetId};

  await healthcare.projects.locations.datasets.create(request);
  console.log(`Created dataset: ${datasetId}`);
};

createDataset();

Obtaining and providing service account credentials manually

You can create and obtain service account credentials manually, and then pass the credentials to your application in its code.

After creating a service account, you can explicitly point to your service account file in code, as shown in the following code samples:

Python

Uses the Python client library.

def get_client(service_account_json):
    """Returns an authorized API client by discovering the Healthcare API and
    creating a service object using the service account credentials JSON."""
    api_scopes = ['https://www.googleapis.com/auth/cloud-platform']
    api_version = 'v1beta1'
    discovery_api = 'https://healthcare.googleapis.com/$discovery/rest'
    service_name = 'healthcare'

    credentials = service_account.Credentials.from_service_account_file(
        service_account_json)
    scoped_credentials = credentials.with_scopes(api_scopes)

    discovery_url = '{}?labels=CHC_BETA&version={}'.format(
        discovery_api, api_version)

    return discovery.build(
        service_name,
        api_version,
        discoveryServiceUrl=discovery_url,
        credentials=scoped_credentials)

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Healthcare API