Google uses AI technology to translate content into your preferred language. AI translations can contain errors.

Configurazione dell'API Policy

Questa pagina spiega come configurare l'API Cloud Identity Policy prima di elencare e ottenere le policy.

Installare la libreria client Python

Per installare la libreria client Python, esegui questo comando:

  pip install --upgrade google-api-python-client google-auth \
    google-auth-oauthlib google-auth-httplib2 absly-py

Per ulteriori informazioni sulla configurazione dell'ambiente di sviluppo Python, consulta la Guida alla configurazione dell'ambiente di sviluppo Python.

Attiva l'API e configura le credenziali del account di servizio

Accedi al tuo account Google Cloud . Se non conosci Google Cloud, crea un account per valutare le prestazioni dei nostri prodotti in scenari reali. I nuovi clienti ricevono anche 300 $di crediti senza costi per l'esecuzione, il test e il deployment dei workload.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

Go to project selector

Verify that billing is enabled for your Google Cloud project.

Enable the Cloud Identity API.

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

Enable the API

Create a service account:

Ensure that you have the Create Service Accounts IAM role (roles/iam.serviceAccountCreator) and the Project IAM Admin role (roles/resourcemanager.projectIamAdmin). Learn how to grant roles.
In the Google Cloud console, go to the Create service account page.
Go to Create service account
Select your project.
In the Service account name field, enter a name. The Google Cloud console fills in the Service account ID field based on this name.

In the Service account description field, enter a description. For example, Service account for quickstart.
Click Create and continue.
Grant the Service Account Token Creator role to the service account.

To grant the role, find the Select a role list, then select Service Account Token Creator.

Note: The Role field affects which resources the service account can access in your project. You can revoke these roles or grant additional roles later.
Click Continue.
In the Service account users role field, enter the identifier for the principal that will attach the service account to other resources, such as Compute Engine instances.

This is typically the email address for a Google Account.
Click Done to finish creating the service account.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

Go to project selector

Verify that billing is enabled for your Google Cloud project.

Enable the Cloud Identity API.

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

Enable the API

Create a service account:

Ensure that you have the Create Service Accounts IAM role (roles/iam.serviceAccountCreator) and the Project IAM Admin role (roles/resourcemanager.projectIamAdmin). Learn how to grant roles.
In the Google Cloud console, go to the Create service account page.
Go to Create service account
Select your project.
In the Service account name field, enter a name. The Google Cloud console fills in the Service account ID field based on this name.

In the Service account description field, enter a description. For example, Service account for quickstart.
Click Create and continue.
Grant the Service Account Token Creator role to the service account.

To grant the role, find the Select a role list, then select Service Account Token Creator.

Note: The Role field affects which resources the service account can access in your project. You can revoke these roles or grant additional roles later.
Click Continue.
In the Service account users role field, enter the identifier for the principal that will attach the service account to other resources, such as Compute Engine instances.

This is typically the email address for a Google Account.
Click Done to finish creating the service account.

Eseguire l'autenticazione come account di servizio con delega a livello di dominio

Se sei un amministratore che gestisce i criteri di identità o se vuoi fornire a un account privilegi a livello di dominio in modo che possa gestire i criteri Google per conto degli amministratori, devi autenticarti come account di servizio e poi concedere privilegi a livello di dominio all'account di servizio.

Per informazioni dettagliate sulla configurazione della delega a livello di dominio, vedi Controllare l'accesso all'API con la delega a livello di dominio. Consulta le best practice per ridurre i rischi per la sicurezza associati all'utilizzo della delega a livello di dominio.

Dopo aver configurato la delega a livello di dominio, è possibile utilizzare le credenziali predefinite dell'applicazione (ADC) per l'autenticazione. Quando utilizzi ADC, il tuo codice può essere eseguito in un ambiente di sviluppo o di produzione senza modificare il modo in cui l'applicazione si autentica ai servizi e alle API Google Cloud. Quando inizializzi le credenziali nel codice, specifica l'indirizzo email su cui agisce il account di servizio utilizzando il parametro subject() nelle credenziali. Assicurati che all'indirizzo email sia concesso il ruolo Service Account User per il account di servizio (come descritto sopra). Ad esempio:

Python

AUTH_SCOPES = ['https://www.googleapis.com/auth/iam']
# The read and write scope of the API. Note that you must provide the
# required scope to the service account while setting up domain-wide 
# delegation.
POLICY_SCOPES = ['https://www.googleapis.com/auth/cloud-identity.policies']
TOKEN_URI = "https://accounts.google.com/o/oauth2/token"

_ADMIN_EMAIL = flags.DEFINE_string(
    name='admin_email',
    default=None,
    help='Administrator email to call as',
    required=True,
)

# Fetch application default credentials (ADC)
credentials, _ = google.auth.default(scopes=AUTH_SCOPES)

# Populate account information
request = requests.Request()
credentials.refresh(request)

# Create an IAM signer
signer = iam.Signer(request, credentials,
                    credentials.service_account_email)

# Create domain-wide delegated (DWD) credentials
delegated_credentials = service_account.Credentials(
    signer=signer,
    service_account_email=credentials.service_account_email,
    token_uri=TOKEN_URI,
    scopes=POLICY_SCOPES,
    subject=_ADMIN_EMAIL.value
)

Per rappresentare un account di servizio quando utilizzi le credenziali predefinite dell'applicazione, utilizza il flag impersonate-service-account.

Shell

gcloud auth application-default login --impersonate-service-account=<service_account_email>
--scopes=https://www.googleapis.com/auth/iam,https://www.googleapis.com/auth/cloud-identity.policies

Il codice campione dettagliato per chiamare l'API Policy, incluso il codice per l'autenticazione, è disponibile in Elenco e recupero delle norme.