This page describes authentication information for calling Cloud Security Scanner APIs.
Supported authentication methods
The Cloud Security Scanner API supports the following authentication methods. To make calls against the API, use the techniques described below.
Service accounts are recommended for almost all use cases, whether you are developing locally or in a production application.
To use a service account to authenticate to the Cloud Security Scanner, follow the instructions to create a service account. Select JSON as your key type.
After you create a service account, your service account key is downloaded to your browser's default downloads location.
If you call the Cloud Security Scanner API directly, such as by making an HTTP
request with cURL, you'll pass your authentication as a bearer token in an
Authorization header. To get a bearer token using your service account, follow
the steps below:
- Install the
gcloudcommand line tool.
Authenticate to your service account, replacing
KEY_FILEbelow with the path to your service account key file:
gcloud auth activate-service-account --key-file KEY_FILE
Get an authorization token using your service account:
gcloud auth print-access-token
The command returns an access token value.
When you call the API, pass the token value as a
bearertoken in an
curl -s -H 'Content-Type: application/json' \ -H 'Authorization: Bearer ACCESS_TOKEN' \ 'https://websecurityscanner.googleapis.com/v1alpha/projects/YOUR_PROJECT/scanConfigs' \ -d @request.json
Roles limit an authenticated identity's ability to access resources. When you build a production application, only grant an identity the permissions it needs to interact with applicable Google Cloud Platform (GCP) APIs, features or resources.
For more information about these roles, see Cloud Security Scanner access control.