Authenticate to Security Command Center

This document describes how to authenticate to Security Command Center programmatically.

For information about authenticating to the Web Security Scanner, see Authenticate to Web Security Scanner.

For more information about Google Cloud authentication, see the authentication overview.

API access

Security Command Center supports programmatic access. How you authenticate to Security Command Center depends on how you access the API. You can access the API in the following ways:

Google Cloud CLI

When you use the gcloud CLI to access Security Command Center, you log in to the gcloud CLI with a Google Account, which provides the credentials used by the gcloud CLI commands.

If your organization's security policies prevent user accounts from having the required permissions, you can use service account impersonation.

For more information, see Authenticate for using the gcloud CLI. For more information about using the gcloud CLI with Security Command Center, see the gcloud CLI reference pages.

REST

You can authenticate to the Security Command Center API by using your gcloud CLI credentials or by using Application Default Credentials. For more information about authentication for REST requests, see Authenticate for using REST. For information about the types of credentials, see gcloud CLI credentials and ADC credentials.

User credentials and ADC for Security Command Center

One way to provide credentials to ADC is to use the gcloud CLI to insert your user credentials into a credential file. This file is placed on your local file system where ADC can find it; ADC then uses the provided user credentials to authenticate requests. This method is often used for local development.

If you use this method, you might encounter an authentication error when you try to authenticate to Security Command Center. For more information about this error and how to address it, see User credentials not working.

Set up authentication for Security Command Center

How you set up authentication depends on the environment where your code is running.

The following options for setting up authentication are the most commonly used. For more options and information about authentication, see Authentication at Google.

For a local development environment

You can set up credentials for a local development environment in the following ways:

Client libraries or third-party tools

Set up Application Default Credentials (ADC) in your local environment:

  1. Install the Google Cloud CLI, then initialize it by running the following command:

    gcloud init
  2. Create local authentication credentials for your Google Account:

    gcloud auth application-default login

    A login screen is displayed. After you log in, your credentials are stored in the local credential file used by ADC.

For more information about working with ADC in a local environment, see Local development environment.

REST requests from the command line

When you make a REST request from the command line, you can use your gcloud CLI credentials by including gcloud auth print-access-token as part of the command that sends the request.

The following example lists service accounts for the specified project. You can use the same pattern for any REST request.

Before using any of the request data, make the following replacements:

  • PROJECT_ID: Your Google Cloud project ID.

To send your request, expand one of these options: