Accessing Security Command Center using an SDK

Stay organized with collections Save and categorize content based on your preferences.

Create a service account and set it up for use with Security Command Center client libraries.

Before you begin

To complete this guide, you need the following:

  • The Service Account Admin IAM role. For more information about Security Command Center IAM roles, see Access control.
  • An existing directory path in which a service account private key can be stored. This path is in the context of your Cloud Shell environment, like /home/myuser/mykeys/.

Accessing Security Command Center

To access Security Command Center programmatically, use Cloud Shell to get the client library and authenticate a service account.

Setting up environment variables

  1. Go to the Google Cloud console.
    Go to the Google Cloud console
  2. Click Activate Cloud Shell.
  3. Set environment variables by running:

    1. Set your organization name:

    2. Set the project ID:

    3. Set the custom ID you want to use for a new service account, like scc-sa. The service account name must be between 6 and 30 characters, must begin with a letter, and must be all lowercase alphanumeric characters and hyphens:

    4. Set the path in which the service account key should be stored, like export KEY_LOCATION=/home/$USER/mykeys/$SERVICE_ACCOUNT.json:

      # This is used by client libraries to find the key

Setting up a service account

To access Security Command Center programmatically, you need a private key from a service account to be used by the client. The service account must have the organization level role securitycenter.admin.

  1. Create a service account that's associated with your project ID:

    gcloud iam service-accounts create $SERVICE_ACCOUNT  --display-name \
     "Service Account for [USER]"  --project $PROJECT_ID
  2. Create a key to associate with the service account. The key is used for the life of the service and persistently stored at the [KEY_LOCATION] you specify.

    gcloud iam service-accounts keys create $KEY_LOCATION  --iam-account \
  3. Grant the service account the securitycenter.admin role for the organization.

    gcloud organizations add-iam-policy-binding $ORG_ID \
      --member="serviceAccount:$SERVICE_ACCOUNT@$" \

Installing client libraries for Security Command Center


To include the Security Command Center Python library as a dependency in your project, follow the process below:

  1. Optional: Before you install the Python library, we recommend using Virtualenv to create an isolated Python environment.

    virtualenv onboarding_example
    source onboarding_example/bin/activate
  2. Install pip to manage the Python library installation.

  3. Run the following commands to install the Python library:

    pip install google-cloud-securitycenter


To include the Security Command Center Java library as a dependency in your project, select an artifact from the Maven repository.


To download the Go library, run:

go get


To install the Node.js library, run:

npm install --save @google-cloud/security-center

What's next

Using the SDK

Review the guides for all the features that Security Command Center supports:

SDK References

See the complete SDK references: