Getting Started with the Service Control API

Stay organized with collections Save and categorize content based on your preferences.

This page describes the basic steps necessary to set up the Service Control API on your local machine and test it using the curl command.

Initial setup

The Service Control API works with managed services. To use the Service Control API, you need to first create a managed service using the Service Management API. For more information, see Service Management Getting Started.

After you have created a managed service, you need to complete the following steps before using the Service Control API from your managed service.

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. Install and initialize the Google Cloud CLI.
  3. Create or select a Google Cloud project.

    • Create a Cloud project:

      gcloud projects create PROJECT_ID
    • Select the Cloud project that you created:

      gcloud config set project PROJECT_ID
  4. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

  5. Enable the Service Control API:

    gcloud services enable servicecontrol.googleapis.com
  6. Grant roles to your Google Account. Run the following command once for each of the following IAM roles: roles/servicemanagement.serviceController

    gcloud projects add-iam-policy-binding PROJECT_ID --member="user:EMAIL_ADDRESS" --role=ROLE
    • Replace PROJECT_ID with your project ID.
    • Replace EMAIL_ADDRESS with your email address.
    • Replace ROLE with each individual role.
  7. Install and initialize the Google Cloud CLI.
  8. Create or select a Google Cloud project.

    • Create a Cloud project:

      gcloud projects create PROJECT_ID
    • Select the Cloud project that you created:

      gcloud config set project PROJECT_ID
  9. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

  10. Enable the Service Control API:

    gcloud services enable servicecontrol.googleapis.com
  11. Grant roles to your Google Account. Run the following command once for each of the following IAM roles: roles/servicemanagement.serviceController

    gcloud projects add-iam-policy-binding PROJECT_ID --member="user:EMAIL_ADDRESS" --role=ROLE
    • Replace PROJECT_ID with your project ID.
    • Replace EMAIL_ADDRESS with your email address.
    • Replace ROLE with each individual role.

Test with curl

First, define a convenient shell alias for calling Google REST APIs:

alias gcurl='curl -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json" '

The following shell command sequence demonstrates the incremental steps to call the Service Control API.

# Call with invalid service name "invalid.com". For security and privacy
# reasons, the permission check typically happens before other checks.
$ gcurl -d '{}' https://servicecontrol.googleapis.com/v1/services/invalid.com:check
{
  "error": {
    "code": 403,
    "message": "Permission 'servicemanagement.services.check' denied on service 'invalid.com'.",
    "status": "PERMISSION_DENIED"
  }
}

# Call without proper permission on a service.
$ gcurl -d '{}' https://servicecontrol.googleapis.com/v1/services/servicecontrol.googleapis.com:check
{
  "error": {
    "code": 403,
    "message": "Permission 'servicemanagement.services.check' denied on service 'servicecontrol.googleapis.com'.",
    "status": "PERMISSION_DENIED"
  }
}

# Call with invalid request.
$ gcurl -d '{}' https://servicecontrol.googleapis.com/v1/services/endpointsapis.appspot.com:check
{
  "error": {
    "code": 400,
    "message": "Request contains an invalid argument.",
    "status": "INVALID_ARGUMENT"
  }
}

# This and following call assume that the service, operation name and
# project being checked are "endpointsapis.appspot.com",
# "google.example.hello.v1.HelloService.GetHello" and
# "endpointsapis-consumer" correspondingly.
# Change to the name of your managed service, operation, and project.
# Call with invalid request.
$ gcurl -d '{
  "operation": {
    "operationId": "123e4567-e89b-12d3-a456-426655440000",
    "consumerId": "project:endpointsapis-consumer",
    "startTime": "2016-06-12T22:00:15Z",
    "operationName": "google.example.hello.v1.HelloService.GetHello"
  }
}' https://servicecontrol.googleapis.com/v1/services/endpointsapis.appspot.com:check
{
  "checkErrors": [
  {
    "code": "SERVICE_NOT_ACTIVATED",
    "detail": "Service 'endpointsapis.appspot.com' is not enabled for consumer 'project:endpointsapis-consumer'."
  }
  ]
}

# Successful call to "services.check" method after the API is enabled for
# the project.
$ gcurl -d '{
  "operation": {
    "operationId": "123e4567-e89b-12d3-a456-426655440000",
    "consumerId": "project:endpointsapis-consumer",
    "startTime":"2016-07-31T05:20:00Z",
    "operationName":"google.example.hello.v1.HelloService.GetHello"
  }
}' https://servicecontrol.googleapis.com/v1/services/endpointsapis.appspot.com:check
{
  "operationId": "123e4567-e89b-12d3-a456-426655440000"
}

After you have completed the preceding steps:

  • You have a functional local test setup that you can use to call any Google Cloud Platform APIs.
  • You have a functional service that you can use with the Service Management API and the Service Control API.
  • You have a service account with correct permissions that you can use to run your service.