Authentication

This page includes authentication information for Security Command Center, Event Threat Detection, and Web Security Scanner.

Security Command Center authentication

This section describes authentication information for Security Command Center.

Supported authentication methods

Security Command Center supports the following authentication methods.

Service accounts

Service accounts are recommended for almost all use cases, whether you are developing locally or in a production application. For an example of how to set up authentication with a service account, see Accessing Security Command Center programmatically..

For more information about setting up authentication with a production application, see Setting up authentication for server to server production applications.

User accounts

You can authenticate users directly to your application, when the application needs to access resources on behalf of an end user. For most use cases, we recommend using a service account instead.

Examples of why to use user accounts with Security Command Center include:

  • If your application uses end user authentication, you need to specify OAuth scopes when making a method call. For per-method OAuth scopes, see Security Command Center reference.

For more information about setting up authentication with user accounts, see Authenticating as an end user.

Event Threat Detection authentication

This section describes authentication information for Event Threat Detection.

Supported authentication methods

Event Threat Detection supports the following authentication methods.

Service accounts

Service accounts are recommended for almost all use cases, whether you are developing locally or in a production application.

For more information about setting up authentication with a production application, see setting up authentication for server to server production applications.

User accounts

You can authenticate users directly to your application, when the application needs to access resources on behalf of an end user. For most use cases, we recommend using a service account instead.

Examples of why to use user accounts with Event Threat Detection include:

If your application uses end user authentication, you need to specify OAuth scopes when making a method call. See Event Threat Detection reference for per-method OAuth scopes.

For more information about setting up authentication with user accounts, see authenticating as an end user.

Web Security Scanner authentication

This section describes authentication information for calling Web Security Scanner APIs.

Supported authentication methods

The Web Security Scanner API supports the following authentication methods. To make calls against the API, use the techniques described below.

Service accounts

Service accounts are recommended for almost all use cases, whether you are developing locally or in a production application.

To use a service account to authenticate to the Web Security Scanner, follow the instructions to create a service account. Select JSON as your key type.

After you create a service account, your service account key is downloaded to your browser's default downloads location.

Bearer tokens

If you call the Web Security Scanner API directly, such as by making an HTTP request with cURL, you'll pass your authentication as a bearer token in an Authorization header. To get a bearer token using your service account, follow the steps below:

  1. Install the gcloud command line tool.
  2. Authenticate to your service account, where key-file is the path to your service account key file:

    gcloud auth activate-service-account --key-file key-file
    
  3. Get an authorization token using your service account:

    gcloud auth print-access-token
    

    The command returns an access token value.

  4. When you call the API, pass the token value as a bearer token in an Authorization header:

    curl -s -H 'Content-Type: application/json' \
      -H 'Authorization: Bearer access-token' \
      'https://websecurityscanner.googleapis.com/v1/projects/project-id/scanConfigs' \
    

Access control

Roles limit an authenticated identity's ability to access resources. When building a production application, only grant an identity the permissions it needs in order to interact with applicable Google Cloud APIs, features, or resources.

For more information about these roles, see Access control.

What's next