Configurazione dell'API Policy

Questa pagina spiega come configurare l'API Cloud Identity Policy prima di elencare e ottenere le policy.

Installare la libreria client Python

Per installare la libreria client Python, esegui questo comando:

  pip install --upgrade google-api-python-client google-auth \
    google-auth-oauthlib google-auth-httplib2

Per ulteriori informazioni sulla configurazione dell'ambiente di sviluppo Python, consulta la Guida alla configurazione dell'ambiente di sviluppo Python.

Abilitare l'API e configurare le credenziali dell'account di servizio

Accedi al tuo Google Cloud account. Se non conosci Google Cloud, crea un account per valutare le prestazioni dei nostri prodotti in scenari reali. I nuovi clienti ricevono anche 300 $di crediti senza costi per l'esecuzione, il test e il deployment dei workload.
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
• Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
• Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.
Go to project selector
Verify that billing is enabled for your Google Cloud project.
Enable the Cloud Identity API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.
Enable the API
Create a service account:
1. Ensure that you have the Create Service Accounts IAM role (roles/iam.serviceAccountCreator) and the Project IAM Admin role (roles/resourcemanager.projectIamAdmin). Learn how to grant roles.

2. In the Google Cloud console, go to the Create service account page.

   Go to Create service account
3. Select your project.

4. In the Service account name field, enter a name. The Google Cloud console fills in the Service account ID field based on this name.

   In the Service account description field, enter a description. For example, Service account for quickstart.

5. Click Create and continue.

6. Grant the Project > Owner role to the service account.

   To grant the role, find the Select a role list, then select Project > Owner.

7. Click Continue.

8. Click Done to finish creating the service account.

   Do not close your browser window. You will use it in the next step.
Create a service account key:
1. In the Google Cloud console, click the email address for the service account that you created.
2. Click Keys.
3. Click Add key, and then click Create new key.
4. Click Create. A JSON key file is downloaded to your computer.
5. Click Close.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

• Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
• Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

Go to project selector

Verify that billing is enabled for your Google Cloud project.

Enable the Cloud Identity API.

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

Enable the API

Create a service account:

1. Ensure that you have the Create Service Accounts IAM role (roles/iam.serviceAccountCreator) and the Project IAM Admin role (roles/resourcemanager.projectIamAdmin). Learn how to grant roles.

2. In the Google Cloud console, go to the Create service account page.

   Go to Create service account
3. Select your project.

4. In the Service account name field, enter a name. The Google Cloud console fills in the Service account ID field based on this name.

   In the Service account description field, enter a description. For example, Service account for quickstart.

5. Click Create and continue.

6. Grant the Project > Owner role to the service account.

   To grant the role, find the Select a role list, then select Project > Owner.

7. Click Continue.

8. Click Done to finish creating the service account.

   Do not close your browser window. You will use it in the next step.

Create a service account key:

1. In the Google Cloud console, click the email address for the service account that you created.
2. Click Keys.
3. Click Add key, and then click Create new key.
4. Click Create. A JSON key file is downloaded to your computer.
5. Click Close.

Eseguire l'autenticazione come account di servizio con delega a livello di dominio

Se sei un amministratore che gestisce le policy di identità o se vuoi fornire a un account privilegi a livello di dominio in modo che possa gestire le policy Google per conto degli amministratori, devi eseguire l'autenticazione come un account di servizio e poi concedere i privilegi a livello di dominio all'account di servizio.

Per informazioni dettagliate sulla configurazione della delega a livello di dominio, consulta Controllare l'accesso all'API con la delega a livello di dominio. Consulta le best practice per ridurre i rischi per la sicurezza associati all'utilizzo della delega a livello di dominio.

Per eseguire l'autenticazione come account di servizio, consulta Utilizzo di OAuth 2.0 per applicazioni da server a server. Quando inizializzi la credenziale nel codice, specifica l'indirizzo email su cui agisce il account di servizio chiamando with_subject() sulla credenziale. Ad esempio:

credentials = service_account.Credentials.from_service_account_file(
  SERVICE_ACCOUNT_FILE, scopes=SCOPES).with_subject(ADMIN_EMAIL)

Nella sezione Elencare e ottenere le policy sono disponibili esempi di codice campione dettagliati per chiamare l'API Policy, incluso il codice per l'autenticazione.