Setting Up the API

This page explains how to set up the Cloud Identity Groups API.

Enabling the API

Before you start using the Cloud Identity Groups API, you must enable it through the Google Cloud Console.

  1. Go to the API library in the Cloud Identity Groups API.

    Go to the API Library

  2. Click Enable.

  3. Wait for the API to be enabled.

Authenticating with the Cloud Identity Groups API

You can authenticate with the Cloud Identity Groups API as either an end user or as a service account:

  • If you're using the Cloud Identity Groups API to manage Google Groups you own, and your not an admin, you should authenticate as an end user. To authenticate as an end user, refer to Authenticating as an end user.

  • If you're using the Cloud Identity Groups API to manage identity groups, or if you want to provide an account with domain-wide privileges so it can manage Google Groups, you should authenticate as a service account. To authenticate as a service account, refer to Authenticating as a service account.

Authenticating as an end user

The following three steps show you how to authenticate as an end user.

Creating your client credentials

To create your client credentials, use Google Cloud Console as follows:

  1. Go to the OAuth consent screen page in Cloud Console.

  2. On the Credentials page, click Create credentials and select OAuth client ID.

  3. Select Other and click Create. The success dialog appears.

  4. Click OK.

  5. Click Download JSON to download the credentials for the client ID.

    Download JSON button

  6. Save the credentials file to client_secrets.json.

Obtaining an OAuth token

Obtain an OAuth access token before you can instruct your application to call the Cloud Identity Groups API on your behalf:

TOKEN = "token.dat"
SCOPES = ["https://www.googleapis.com/auth/cloud-identity.groups"]

def obtain_token:
  """Obtains and stores an OAuth access token."""

  store = file.Storage(TOKEN)
  flow = client.flow_from_clientsecrets("client_secrets.json", scope=SCOPES)
  credentials = tools.run_flow(flow, store)

Loading credentials from the OAuth token

After you have stored the OAuth access token, load credentials from the token in your application:

TOKEN = "token.dat"

def get_credentials_from_token:
  """Loads credentials from an OAuth access token."""

  store = file.Storage(TOKEN)
  return store.get()

Now that you have the credentials, you can create an instance of the service for making API calls. For an example of creating the service with your new end user credentials, refer to Creating an instance of the service

Authenticating as a service account

The following steps show you how to authenticate as a service account:

Creating a service account

Cloud Console

  1. In the Cloud Console, go to the Create service account key page.

    Go to the Create Service Account Key page
  2. From the Service account list, select New service account.
  3. In the Service account name field, enter a name.
  4. From the Role list, select Project > Owner.

    Note: The Role field authorizes your service account to access resources. You can view and change this field later by using the Cloud Console. If you are developing a production app, specify more granular permissions than Project > Owner. For more information, see granting roles to service accounts.
  5. Click Create. A JSON file that contains your key downloads to your computer.

Command line

You can run the following commands using the Cloud SDK on your local machine, or in Cloud Shell.

  1. Create the service account. Replace [NAME] with a name for the service account.

    gcloud iam service-accounts create [NAME]
  2. Grant permissions to the service account. Replace [PROJECT_ID] with your project ID.

    gcloud projects add-iam-policy-binding [PROJECT_ID] --member "serviceAccount:[NAME]@[PROJECT_ID].iam.gserviceaccount.com" --role "roles/owner"
    Note: The Role field authorizes your service account to access resources. You can view and change this field later by using Cloud Console. If you are developing a production app, specify more granular permissions than Project > Owner. For more information, see granting roles to service accounts.
  3. Generate the key file. Replace [FILE_NAME] with a name for the key file.

    gcloud iam service-accounts keys create [FILE_NAME].json --iam-account [NAME]@[PROJECT_ID].iam.gserviceaccount.com

If you wish to use this service account to manage Google Groups, you must grant it G Suite domain-wide delegation privileges:

  1. In the Cloud Platform Console, select IAM & admin > Service accounts in the left panel.
  2. Select the previously created service account.
  3. Click Edit.
  4. Click Show Domain-wide Delegation.
  5. Check Enable G Suite Domain-wide Delegation.
  6. Click Save.

Load credentials from the service account file

After you setup your service account and have granted it the appropriate permissions, you can load credentials from the saved service account file in your application:

SERVICE_ACCOUNT = "service_account.json"
SCOPES = ["https://www.googleapis.com/auth/cloud-identity.groups"]

def get_credentials_from_service_account_file():
  """Loads credentials from a service account file."""

  return service_account.Credentials.from_service_account_file(
    SERVICE_ACCOUNT_CREDENTIALS, scopes=SCOPES)

If you're using this service account to manage Google Groups, you need to specify the email address of the account on which the service account acts:

      def get_delegated_credentials_from_service_account_file(delegated_email):
        """Loads credentials from a service account file for a delegated email."""

      return get_credentials_from_service_account_file().with_subject(delegated_email)

Now that you have the credentials, you can create an instance of the service for making API calls. For an example of creating the service with your new end user credentials, refer to Creating an instance of the service

Instantiate the service

Before you can make calls to the Cloud Identity Groups API, you need to create an instance of the service that you can call. The following Python example shows how to instantiate the service using the end user or service account credentials:

def build_cloud_identity_service():
  # Get the end user or service account credentials.
  credentials = get_credentials()

  service_name = "cloudidentity.googleapis.com"
  api_version = "v1"
  discovery_url = (
    "https://%s/$discovery/rest?version=%s" % (service_name, api_version))
    store = file.Storage("credentials.json")
    service = build(
      service_name,
      api_version,
      discoveryServiceUrl=discovery_url,
      http=credentials.authorize(Http()))
    return service

  # Get the credentials by calling either get_credentials_from_token(), get_credentials_from_service_account_file(), or get_delegated_credentials_from_service_account_file().
  def get_credentials():
    ...
    return credentials

You can now begin making calls to the Cloud Identity Groups API.

Access audit logs

To access audit logs for the Cloud Identity Groups API, refer to Log events.

Next steps

After you have an instance of the service, you can manage groups and then manage memberships.