Setting up the Devices API

This page explains how to set up the Cloud Identity Devices API.

Enabling the API and setting up credentials

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

  4. Enable the Cloud Identity API.

    Enable the API

  5. Create a service account:

    1. In the Cloud Console, go to the Create service account page.

      Go to Create service account
    2. Select a project.
    3. In the Service account name field, enter a name. The Cloud Console fills in the Service account ID field based on this name.

      In the Service account description field, enter a description. For example, Service account for quickstart.

    4. Click Create.
    5. Click the Select a role field.

      Under Quick access, click Basic, then click Owner.

    6. Click Continue.
    7. Click Done to finish creating the service account.

      Do not close your browser window. You will use it in the next step.

  6. Create a service account key:

    1. In the Cloud Console, click the email address for the service account that you created.
    2. Click Keys.
    3. Click Add key, then click Create new key.
    4. Click Create. A JSON key file is downloaded to your computer.
    5. Click Close.

Authenticating as a service account with domain-wide delegation

If you're an administrator managing identity groups, or if you want to provide an account with domain-wide privileges so it can manage Google Groups on behalf of admins, you should authenticate as a service account and then grant it the domain-wide privileges.

Follow the steps below to authenticate the service account and set up domain-wide delegation.

  1. Authenticate as a service account; refer to Using OAuth 2.0 for server to server applications. Then follow the steps below to

  2. Go to the Service Accounts page in the Cloud Console.

    Go to the Service Accounts page

  3. Click Select a project, choose a project, and click Open.

  4. Select your service account, and then click Edit.

  5. Click Show Domain-wide Delegation.

  6. Select Enable Google Workspace Domain-wide Delegation.

  7. Click Save.

Next, when initializing the credential in your code, specify the email address on which the service account acts by calling with_subject() on the credential. For example:


credentials = service_account.Credentials.from_service_account_file(
  SERVICE_ACCOUNT_FILE, scopes=SCOPES).with_subject(delegated_email)

Instantiating a client

The following example shows how to instantiate a client using service account credentials. To authenticate as an end-user instead, replace the credential object from the service account with the credential you obtained earlier in Using OAuth 2.0 for web server applications.


from google.oauth2 import service_account
import googleapiclient.discovery

SCOPES = ['']
SERVICE_ACCOUNT_FILE = '/path/to/service-account-file.json'

def create_service():
  credentials = service_account.Credentials.from_service_account_file(
  delegated_credentials = credentials.with_subject('')

  service_name = 'cloudidentity'
  api_version = 'v1'
  service =

  return service

You can now begin making calls to the Devices API.

Installing the Python client library

To install the Python client library, run the following command:

  pip install --upgrade google-api-python-client google-auth \
    google-auth-oauthlib google-auth-httplib2

For more on setting up your Python development environment, refer to the Python Development Environment Setup Guide.