This page explains how to set up the Cloud Identity Devices API.
Enabling the API and setting up credentials
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.
Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.
- Enable the Cloud Identity API.
Create a service account:
In the Cloud Console, go to the Create service account page.Go to Create service account
- Select a project.
In the Service account name field, enter a name. The Cloud Console fills in the Service account ID field based on this name.
In the Service account description field, enter a description. For example,
Service account for quickstart.
- Click Create.
Click the Select a role field.
Under Quick access, click Basic, then click Owner.
- Click Continue.
Click Done to finish creating the service account.
Do not close your browser window. You will use it in the next step.
Create a service account key:
- In the Cloud Console, click the email address for the service account that you created.
- Click Keys.
- Click Add key, then click Create new key.
- Click Create. A JSON key file is downloaded to your computer.
- Click Close.
Authenticating as a service account with domain-wide delegation
If you're an administrator managing identity groups, or if you want to provide an account with domain-wide privileges so it can manage Google Groups on behalf of admins, you should authenticate as a service account and then grant it the domain-wide privileges.
Follow the steps below to authenticate the service account and set up domain-wide delegation.
Authenticate as a service account; refer to Using OAuth 2.0 for server to server applications. Then follow the steps below to
Go to the Service Accounts page in the Cloud Console.
Click Select a project, choose a project, and click Open.
Select your service account, and then click Edit.
Click Show Domain-wide Delegation.
Select Enable Google Workspace Domain-wide Delegation.
Next, when initializing the credential in your code, specify the email address
on which the service account acts by calling
with_subject() on the credential.
credentials = service_account.Credentials.from_service_account_file( SERVICE_ACCOUNT_FILE, scopes=SCOPES).with_subject(delegated_email)
Instantiating a client
The following example shows how to instantiate a client using service account
credentials. To authenticate as an end-user instead, replace the
object from the service account with the
obtained earlier in
Using OAuth 2.0 for web server applications.
from google.oauth2 import service_account import googleapiclient.discovery SCOPES = ['https://www.googleapis.com/auth/cloud-identity.devices'] SERVICE_ACCOUNT_FILE = '/path/to/service-account-file.json' def create_service(): credentials = service_account.Credentials.from_service_account_file( SERVICE_ACCOUNT_FILE, scopes=SCOPES) delegated_credentials = credentials.with_subject('firstname.lastname@example.org') service_name = 'cloudidentity' api_version = 'v1' service = googleapiclient.discovery.build( service_name, api_version, credentials=credentials) return service
You can now begin making calls to the Devices API.
Installing the Python client library
To install the Python client library, run the following command:
pip install --upgrade google-api-python-client google-auth \ google-auth-oauthlib google-auth-httplib2
For more on setting up your Python development environment, refer to the Python Development Environment Setup Guide.