Authentication

This page includes authentication information for Security Command Center, Event Threat Detection, and Web Security Scanner.

Security Command Center authentication

This section describes how to authenticate to Security Command Center.

Supported authentication methods

Security Command Center supports the following authentication methods.

Service accounts

Service accounts are recommended for almost all use cases, whether you are developing locally or in a production application. For an example of how to set up authentication with a service account, see Accessing Security Command Center programmatically.

For more information about setting up authentication with a production application, see Setting up authentication for server to server production applications.

User accounts

You can authenticate users directly to your application, when the application needs to access resources on behalf of an end user. For most use cases, we recommend using a service account instead.

User accounts are necessary for access to Security Command Center if your application uses end-user authentication. In that scenario, you need to specify OAuth scopes when making a method call. For per-method OAuth scopes, see Security Command Center reference.

For more information about setting up authentication with user accounts, see Authenticating as an end user.

Bearer tokens

If you call the Security Command Center API directly, such as by making an HTTP request with cURL, you pass your authentication as a bearer token in an Authorization header. To get a bearer token using your service account, do the following:

1. Install the Google Cloud CLI.

2. Authenticate to your service account.

   gcloud auth activate-service-account --key-file KEY_FILE
   

   Replace KEY_FILE with the path to your service account key file.

3. Get an authorization token using your service account:

   gcloud auth print-access-token
   

   The command returns an access token value.

4. When you call the API, pass the token value as a bearer token in an Authorization header:

   curl -s -H 'Content-Type: application/json' \
     -H 'Authorization: Bearer ACCESS_TOKEN' \
     -H 'X-Goog-User-Project: X_GOOG_USER_PROJECT' \
     'https://securitycenter.googleapis.com/PATH'
   

   Replace the following:

   • ACCESS_TOKEN: your access token.
   • X_GOOG_USER_PROJECT: the ID of the project to bill for charges related to the API call. This project can be different from the resource that you want to access.
   • PATH: the portion of the HTTP request URL that points to the API version that you want to use, the REST resource that you want to access, and the method that you want to use—for example,v1/projects/example-project/sources/example-source-id/findings. To view the accepted format, see the path parameters on the API reference page for the method that you want to use.

   The following example lists all findings across all sources in an organization using the organizations.sources.findings.list method:

   curl -s -H 'Content-Type: application/json' \
     -H 'Authorization: Bearer ACCESS_TOKEN' \
     -H 'X-Goog-User-Project: PROJECT_ID' \
     'https://securitycenter.googleapis.com/v1/organizations/ORGANIZATION_ID/sources/-/findings'
   

   The following example lists all findings across all sources in a project using the projects.sources.findings.list method:

   curl -s -H 'Content-Type: application/json' \
     -H 'Authorization: Bearer ACCESS_TOKEN' \
     -H 'X-Goog-User-Project: PROJECT_ID' \
     'https://securitycenter.googleapis.com/v1/projects/PROJECT_ID/sources/-/findings'
   

   Event Threat Detection authentication

This section describes how to authenticate to Event Threat Detection.

Supported authentication methods

Event Threat Detection supports the following authentication methods.

Service accounts

Service accounts are recommended for almost all use cases, whether you are developing locally or in a production application.

For more information about setting up authentication with a production application, see setting up authentication for server to server production applications.

User accounts

You can authenticate users directly to your application, when the application needs to access resources on behalf of an end user. For most use cases, we recommend using a service account instead.

Examples of why to use user accounts with Event Threat Detection include:

If your application uses end-user authentication, you need to specify OAuth scopes when making a method call. See Security Command Center reference for per-method OAuth scopes.

For more information about setting up authentication with user accounts, see authenticating as an end user.

Web Security Scanner authentication

This section describes authentication information to call Web Security Scanner APIs.

Supported authentication methods

The Web Security Scanner API supports the following authentication methods. To make calls against the API, use the techniques described below.

Service accounts

Service accounts are recommended for almost all use cases, whether you are developing locally or in a production application.

To use a service account to authenticate to the Web Security Scanner, follow the instructions to create a service account. Select JSON as your key type.

After you create a service account, your service account key is downloaded to your browser's default downloads location.

Bearer tokens

If you call the Web Security Scanner API directly, such as by making an HTTP request with cURL, you pass your authentication as a bearer token in an Authorization header. To get a bearer token using your service account, do the following:

1. Install the Google Cloud CLI.

2. Authenticate to your service account.

   gcloud auth activate-service-account --key-file KEY-FILE
   

   Replace KEY_FILE with the path to your service account key file.

3. Get an authorization token using your service account:

   gcloud auth print-access-token
   

   The command returns an access token value.

4. When you call the API, pass the token value as a bearer token in an Authorization header:

   curl -s -H 'Content-Type: application/json' \
     -H 'Authorization: Bearer ACCESS_TOKEN' \
     'https://websecurityscanner.googleapis.com/v1/projects/PROJECT_ID/scanConfigs' \
   

   Replace the following:

   • ACCESS_TOKEN with your access token.
   • PROJECT_ID with the API version you're targeting.

Access control

The IAM roles for Security Command Center can be granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.

When building a production application, only grant an identity the permissions it needs to interact with applicable Google Cloud APIs, features, or resources.

What's next

• To learn more about Google Cloud authentication, see the authentication guide.