Google uses AI technology to translate content into your preferred language. AI translations can contain errors.

Menyiapkan Policy API

Halaman ini menjelaskan cara menyiapkan Cloud Identity Policy API sebelum mencantumkan dan mendapatkan kebijakan.

Instal library klien Python

Untuk menginstal library klien Python, jalankan perintah berikut:

  pip install --upgrade google-api-python-client google-auth \
    google-auth-oauthlib google-auth-httplib2 absly-py

Untuk mengetahui informasi selengkapnya tentang cara menyiapkan lingkungan pengembangan Python, baca Panduan Penyiapan Lingkungan Pengembangan Python.

Mengaktifkan API dan menyiapkan kredensial akun layanan

Login ke akun Google Cloud Anda. Jika Anda baru menggunakan Google Cloud, buat akun untuk mengevaluasi performa produk kami dalam skenario dunia nyata. Pelanggan baru juga mendapatkan kredit gratis senilai $300 untuk menjalankan, menguji, dan men-deploy workload.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

Go to project selector

Verify that billing is enabled for your Google Cloud project.

Enable the Cloud Identity API.

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

Enable the API

Create a service account:

Ensure that you have the Create Service Accounts IAM role (roles/iam.serviceAccountCreator) and the Project IAM Admin role (roles/resourcemanager.projectIamAdmin). Learn how to grant roles.
In the Google Cloud console, go to the Create service account page.
Go to Create service account
Select your project.
In the Service account name field, enter a name. The Google Cloud console fills in the Service account ID field based on this name.

In the Service account description field, enter a description. For example, Service account for quickstart.
Click Create and continue.
Grant the Service Account Token Creator role to the service account.

To grant the role, find the Select a role list, then select Service Account Token Creator.

Note: The Role field affects which resources the service account can access in your project. You can revoke these roles or grant additional roles later.
Click Continue.
In the Service account users role field, enter the identifier for the principal that will attach the service account to other resources, such as Compute Engine instances.

This is typically the email address for a Google Account.
Click Done to finish creating the service account.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

Go to project selector

Verify that billing is enabled for your Google Cloud project.

Enable the Cloud Identity API.

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

Enable the API

Create a service account:

Ensure that you have the Create Service Accounts IAM role (roles/iam.serviceAccountCreator) and the Project IAM Admin role (roles/resourcemanager.projectIamAdmin). Learn how to grant roles.
In the Google Cloud console, go to the Create service account page.
Go to Create service account
Select your project.
In the Service account name field, enter a name. The Google Cloud console fills in the Service account ID field based on this name.

In the Service account description field, enter a description. For example, Service account for quickstart.
Click Create and continue.
Grant the Service Account Token Creator role to the service account.

To grant the role, find the Select a role list, then select Service Account Token Creator.

Note: The Role field affects which resources the service account can access in your project. You can revoke these roles or grant additional roles later.
Click Continue.
In the Service account users role field, enter the identifier for the principal that will attach the service account to other resources, such as Compute Engine instances.

This is typically the email address for a Google Account.
Click Done to finish creating the service account.

Melakukan autentikasi sebagai akun layanan dengan delegasi tingkat domain

Jika Anda adalah administrator yang mengelola kebijakan identitas, atau jika Anda ingin memberikan hak istimewa di seluruh domain kepada akun agar akun tersebut dapat mengelola kebijakan Google atas nama administrator, Anda harus melakukan autentikasi sebagai akun layanan, lalu memberikan hak istimewa di seluruh domain kepada akun layanan tersebut.

Untuk mengetahui detail tentang cara menyiapkan delegasi tingkat domain, lihat Mengontrol akses API dengan delegasi tingkat domain. Tinjau praktik terbaik untuk memitigasi risiko keamanan yang terkait dengan penggunaan delegasi seluruh domain.

Setelah menyiapkan delegasi di seluruh domain, Kredensial Default Aplikasi (ADC) dapat digunakan untuk autentikasi. Saat menggunakan ADC, kode Anda dapat berjalan di lingkungan pengembangan atau produksi tanpa mengubah cara aplikasi Anda melakukan autentikasi ke layanan dan API Google Cloud. Saat melakukan inisialisasi kredensial dalam kode, tentukan alamat email yang ditindaklanjuti oleh akun layanan menggunakan parameter subject() pada kredensial. Pastikan alamat email diberi peran Service Account User di akun layanan (seperti yang dijelaskan di atas). Contoh:

Python

AUTH_SCOPES = ['https://www.googleapis.com/auth/iam']
# The read and write scope of the API. Note that you must provide the
# required scope to the service account while setting up domain-wide 
# delegation.
POLICY_SCOPES = ['https://www.googleapis.com/auth/cloud-identity.policies']
TOKEN_URI = "https://accounts.google.com/o/oauth2/token"

_ADMIN_EMAIL = flags.DEFINE_string(
    name='admin_email',
    default=None,
    help='Administrator email to call as',
    required=True,
)

# Fetch application default credentials (ADC)
credentials, _ = google.auth.default(scopes=AUTH_SCOPES)

# Populate account information
request = requests.Request()
credentials.refresh(request)

# Create an IAM signer
signer = iam.Signer(request, credentials,
                    credentials.service_account_email)

# Create domain-wide delegated (DWD) credentials
delegated_credentials = service_account.Credentials(
    signer=signer,
    service_account_email=credentials.service_account_email,
    token_uri=TOKEN_URI,
    scopes=POLICY_SCOPES,
    subject=_ADMIN_EMAIL.value
)

Untuk meniru identitas akun layanan saat menggunakan Kredensial default aplikasi, gunakan flag impersonate-service-account.

Shell

gcloud auth application-default login --impersonate-service-account=<service_account_email>
--scopes=https://www.googleapis.com/auth/iam,https://www.googleapis.com/auth/cloud-identity.policies

Contoh kode mendetail untuk memanggil Policy API, termasuk kode untuk autentikasi, disediakan di Mencantumkan dan mendapatkan kebijakan.