Habilita la API y configura las credenciales de la cuenta de servicio
Sign in to your Google Cloud account. If you're new to
Google Cloud,
create an account to evaluate how our products perform in
real-world scenarios. New customers also get $300 in free credits to
run, test, and deploy workloads.
In the Google Cloud console, on the project selector page,
select or create a Google Cloud project.
In the Service account name field, enter a name. The Google Cloud console fills
in the Service account ID field based on this name.
In the Service account description field, enter a description. For example,
Service account for quickstart.
Click Create and continue.
Grant the Project > Owner role to the service account.
To grant the role, find the Select a role list, then select
Project > Owner.
Click Continue.
Click Done to finish creating the service account.
Do not close your browser window. You will use it in the next step.
Create a service account key:
In the Google Cloud console, click the email address for the service account that you
created.
Click Keys.
Click Add key, and then click Create new key.
Click Create. A JSON key file is downloaded to your computer.
Click Close.
Autentica como una cuenta de servicio con delegación de todo el dominio
Si eres un administrador que gestiona políticas de identidad, o si deseas proporcionar una cuenta con privilegios de todo el dominio para que pueda administrar las políticas de Google en nombre de los administradores, debes autenticarte como una cuenta de servicio y, luego, otorgarle privilegios para todo el dominio.
Para autenticar como cuenta de servicio, consulta cómo usar OAuth 2.0 para aplicaciones de servidor a servidor.
Cuando inicialices la credencial en el código, especifica la dirección de correo electrónico en la que actúa la cuenta de servicio mediante un llamado a with_subject() en la credencial.
Por ejemplo:
En Cómo enumerar y obtener políticas, se proporciona un código de muestra detallado para llamar a la API de Policy, incluido el código para la autenticación.
[[["Fácil de comprender","easyToUnderstand","thumb-up"],["Resolvió mi problema","solvedMyProblem","thumb-up"],["Otro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Información o código de muestra incorrectos","incorrectInformationOrSampleCode","thumb-down"],["Faltan la información o los ejemplos que necesito","missingTheInformationSamplesINeed","thumb-down"],["Problema de traducción","translationIssue","thumb-down"],["Otro","otherDown","thumb-down"]],["Última actualización: 2025-09-04 (UTC)"],[[["\u003cp\u003eThis page provides instructions on how to set up the Cloud Identity Policy API, which is required before listing and retrieving policies.\u003c/p\u003e\n"],["\u003cp\u003eYou can install the Python client library for the API by using the \u003ccode\u003epip install --upgrade google-api-python-client google-auth google-auth-oauthlib google-auth-httplib2\u003c/code\u003e command.\u003c/p\u003e\n"],["\u003cp\u003eFor administrators, authentication should be performed as a service account with domain-wide delegation, allowing the account to manage policies on behalf of administrators.\u003c/p\u003e\n"],["\u003cp\u003eTo authenticate as a service account, use OAuth 2.0 for server-to-server applications and specify the email address for the service account using \u003ccode\u003ewith_subject()\u003c/code\u003e when initializing the credential in your code.\u003c/p\u003e\n"],["\u003cp\u003eSample code that includes authentication details for the Policy API can be found on the \u003ca href=\"/identity/docs/how-to/list-get-policies\"\u003eListing and getting policies\u003c/a\u003e page.\u003c/p\u003e\n"]]],[],null,["# Setting up the Policy API\n=========================\n\nThis page explains how to set up the Cloud Identity Policy API before [listing and getting policies](/identity/docs/how-to/list-get-policies).\n\nInstall the Python client library\n---------------------------------\n\nTo install the Python client library, run the following command: \n\n pip install --upgrade google-api-python-client google-auth \\\n google-auth-oauthlib google-auth-httplib2\n\nFor more on setting up your Python development environment, refer to the\n[Python Development Environment Setup Guide](/python/docs/setup).\n\nEnable the API and set up service account credentials\n-----------------------------------------------------\n\n- Sign in to your Google Cloud account. If you're new to Google Cloud, [create an account](https://console.cloud.google.com/freetrial) to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Cloud Identity API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=cloudidentity.googleapis.com)\n-\n Create a service account:\n\n 1.\n In the Google Cloud console, go to the **Create service account** page.\n\n [Go to Create service account](https://console.cloud.google.com/projectselector/iam-admin/serviceaccounts/create?supportedpurview=project)\n 2. Select your project.\n 3.\n In the **Service account name** field, enter a name. The Google Cloud console fills\n in the **Service account ID** field based on this name.\n\n\n In the **Service account description** field, enter a description. For example,\n `Service account for quickstart`.\n 4. Click **Create and continue**.\n 5.\n Grant the **Project \\\u003e Owner** role to the service account.\n\n\n To grant the role, find the **Select a role** list, then select\n **Project \\\u003e Owner**.\n | **Note** : The **Role** field affects which resources the service account can access in your project. You can revoke these roles or grant additional roles later. In production environments, do not grant the Owner, Editor, or Viewer roles. Instead, grant a [predefined role](/iam/docs/understanding-roles#predefined_roles) or [custom role](/iam/docs/understanding-custom-roles) that meets your needs.\n 6. Click **Continue**.\n 7.\n Click **Done** to finish creating the service account.\n\n\n Do not close your browser window. You will use it in the next step.\n-\n Create a service account key:\n\n 1. In the Google Cloud console, click the email address for the service account that you created.\n 2. Click **Keys**.\n 3. Click **Add key** , and then click **Create new key**.\n 4. Click **Create**. A JSON key file is downloaded to your computer.\n 5. Click **Close**.\n\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Cloud Identity API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=cloudidentity.googleapis.com)\n-\n Create a service account:\n\n 1.\n In the Google Cloud console, go to the **Create service account** page.\n\n [Go to Create service account](https://console.cloud.google.com/projectselector/iam-admin/serviceaccounts/create?supportedpurview=project)\n 2. Select your project.\n 3.\n In the **Service account name** field, enter a name. The Google Cloud console fills\n in the **Service account ID** field based on this name.\n\n\n In the **Service account description** field, enter a description. For example,\n `Service account for quickstart`.\n 4. Click **Create and continue**.\n 5.\n Grant the **Project \\\u003e Owner** role to the service account.\n\n\n To grant the role, find the **Select a role** list, then select\n **Project \\\u003e Owner**.\n | **Note** : The **Role** field affects which resources the service account can access in your project. You can revoke these roles or grant additional roles later. In production environments, do not grant the Owner, Editor, or Viewer roles. Instead, grant a [predefined role](/iam/docs/understanding-roles#predefined_roles) or [custom role](/iam/docs/understanding-custom-roles) that meets your needs.\n 6. Click **Continue**.\n 7.\n Click **Done** to finish creating the service account.\n\n\n Do not close your browser window. You will use it in the next step.\n-\n Create a service account key:\n\n 1. In the Google Cloud console, click the email address for the service account that you created.\n 2. Click **Keys**.\n 3. Click **Add key** , and then click **Create new key**.\n 4. Click **Create**. A JSON key file is downloaded to your computer.\n 5. Click **Close**.\n\n\u003cbr /\u003e\n\nAuthenticate as a service account with domain-wide delegation\n-------------------------------------------------------------\n\nIf you're an administrator managing identity policies, or if you want to provide\nan account with domain-wide privileges so that it can manage Google policies on behalf\nof administrators, you should authenticate as a\n[service account](/iam/docs/service-accounts) and then grant domain-wide\nprivileges to the service account.\n| **Note:** Because domain-wide delegation lets the service account impersonate an administrator user, service account actions are logged as having been done by the user.\n\nFor details about setting up domain-wide delegation, see\n[Control API access with domain-wide delegation](https://support.google.com/a/answer/162106).\n\nTo authenticate as a service account, refer to\n[Using OAuth 2.0 for server to server applications](https://developers.google.com/identity/protocols/oauth2/service-account).\nWhen initializing the credential in your code, specify the email address on\nwhich the service account acts by calling `with_subject()` on the credential.\nFor example: \n\n### Python\n\n credentials = service_account.Credentials.from_service_account_file(\n SERVICE_ACCOUNT_FILE, scopes=SCOPES).with_subject(ADMIN_EMAIL)\n\nDetailed sample code to call Policy API, including the code for authentication, are provided in [Listing and getting policies](/identity/docs/how-to/list-get-policies)."]]