Cloud Security Scanner API Authentication

This page describes authentication information for calling Cloud Security Scanner APIs.

Supported authentication methods

The Cloud Security Scanner API supports the following authentication methods. To make calls against the API, use the techniques described below.

Service accounts

Service accounts are recommended for almost all use cases, whether you are developing locally or in a production application.

To use a service account to authenticate to the Cloud Security Scanner, follow the instructions to create a service account. Select JSON as your key type.

After you create a service account, your service account key is downloaded to your browser's default downloads location.

Bearer tokens

If you call the Cloud Security Scanner API directly, such as by making an HTTP request with cURL, you'll pass your authentication as a bearer token in an Authorization header. To get a bearer token using your service account, follow the steps below:

  1. Install the gcloud command line tool.
  2. Authenticate to your service account, replacing KEY_FILE below with the path to your service account key file:

    gcloud auth activate-service-account --key-file KEY_FILE
  3. Get an authorization token using your service account:

    gcloud auth print-access-token

    The command returns an access token value.

  4. When you call the API, pass the token value as a bearer token in an Authorization header:

    curl -s -H 'Content-Type: application/json' \
      -H 'Authorization: Bearer ACCESS_TOKEN' \
      '' \
      -d @request.json

Access control

Roles limit an authenticated identity's ability to access resources. When you build a production application, only grant an identity the permissions it needs to interact with applicable Google Cloud Platform (GCP) APIs, features or resources.

For more information about these roles, see Cloud Security Scanner access control.

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Security Scanner Documentation