设置 Policy API
本页介绍了如何在列出和获取政策之前设置 Cloud Identity Policy API。
安装 Python 客户端库
如需安装 Python 客户端库,请运行以下命令:
pip install --upgrade google-api-python-client google-auth \
google-auth-oauthlib google-auth-httplib2
如需详细了解如何设置 Python 开发环境,请参阅 Python 开发环境设置指南。
启用 API 并设置服务账号凭据
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Cloud Identity API.
-
Create a service account:
-
In the Google Cloud console, go to the Create service account page.
Go to Create service account - Select your project.
-
In the Service account name field, enter a name. The Google Cloud console fills in the Service account ID field based on this name.
In the Service account description field, enter a description. For example,
Service account for quickstart
. - Click Create and continue.
-
Grant the Project > Owner role to the service account.
To grant the role, find the Select a role list, then select Project > Owner.
- Click Continue.
-
Click Done to finish creating the service account.
Do not close your browser window. You will use it in the next step.
-
-
Create a service account key:
- In the Google Cloud console, click the email address for the service account that you created.
- Click Keys.
- Click Add key, and then click Create new key.
- Click Create. A JSON key file is downloaded to your computer.
- Click Close.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Cloud Identity API.
-
Create a service account:
-
In the Google Cloud console, go to the Create service account page.
Go to Create service account - Select your project.
-
In the Service account name field, enter a name. The Google Cloud console fills in the Service account ID field based on this name.
In the Service account description field, enter a description. For example,
Service account for quickstart
. - Click Create and continue.
-
Grant the Project > Owner role to the service account.
To grant the role, find the Select a role list, then select Project > Owner.
- Click Continue.
-
Click Done to finish creating the service account.
Do not close your browser window. You will use it in the next step.
-
-
Create a service account key:
- In the Google Cloud console, click the email address for the service account that you created.
- Click Keys.
- Click Add key, and then click Create new key.
- Click Create. A JSON key file is downloaded to your computer.
- Click Close.
以服务账号身份进行身份验证并进行全网域授权
如果您是管理身份政策的管理员,或者您希望向账号提供全网域权限以使其可以代表管理员管理 Google 政策,则应以服务账号身份进行身份验证,然后向该服务账号授予全网域权限。
如需详细了解如何设置全网域授权,请参阅使用全网域授权功能控制 API 访问权限。
如需以服务账号身份进行身份验证,请参阅为“服务器到服务器”应用使用 OAuth 2.0。在代码中初始化凭据时,通过对凭据调用 with_subject()
来指定服务账号要操作的电子邮件地址。例如:
Python
credentials = service_account.Credentials.from_service_account_file(
SERVICE_ACCOUNT_FILE, scopes=SCOPES).with_subject(ADMIN_EMAIL)
列出和获取政策中提供了调用 Policy API 的详细示例代码,包括用于身份验证的代码。