設定 Policy API

本頁面說明如何設定 Cloud Identity Policy API，然後列出及取得政策。

安裝 Python 用戶端程式庫

如要安裝 Python 用戶端程式庫，請執行下列指令：

  pip install --upgrade google-api-python-client google-auth \
    google-auth-oauthlib google-auth-httplib2 absly-py

如要進一步瞭解如何設定 Python 開發環境，請參閱「Python 開發環境設定指南」。

啟用 API 並設定服務帳戶憑證

登入 Google Cloud 帳戶。如果您是 Google Cloud新手，歡迎 建立帳戶，親自評估產品在實際工作環境中的成效。新客戶還能獲得價值 $300 美元的免費抵免額，可用於執行、測試及部署工作負載。

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

• Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
• Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

Go to project selector

Verify that billing is enabled for your Google Cloud project.

Enable the Cloud Identity API.

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

Enable the API

Create a service account:

1. Ensure that you have the Create Service Accounts IAM role (roles/iam.serviceAccountCreator) and the Project IAM Admin role (roles/resourcemanager.projectIamAdmin). Learn how to grant roles.

2. In the Google Cloud console, go to the Create service account page.

   Go to Create service account
3. Select your project.

4. In the Service account name field, enter a name. The Google Cloud console fills in the Service account ID field based on this name.

   In the Service account description field, enter a description. For example, Service account for quickstart.

5. Click Create and continue.

6. Grant the Service Account Token Creator role to the service account.

   To grant the role, find the Select a role list, then select Service Account Token Creator.

7. Click Continue.

8. In the Service account users role field, enter the identifier for the principal that will attach the service account to other resources, such as Compute Engine instances.

   This is typically the email address for a Google Account.

9. Click Done to finish creating the service account.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

• Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
• Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

Go to project selector

Verify that billing is enabled for your Google Cloud project.

Enable the Cloud Identity API.

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

Enable the API

Create a service account:

1. Ensure that you have the Create Service Accounts IAM role (roles/iam.serviceAccountCreator) and the Project IAM Admin role (roles/resourcemanager.projectIamAdmin). Learn how to grant roles.

2. In the Google Cloud console, go to the Create service account page.

   Go to Create service account
3. Select your project.

4. In the Service account name field, enter a name. The Google Cloud console fills in the Service account ID field based on this name.

   In the Service account description field, enter a description. For example, Service account for quickstart.

5. Click Create and continue.

6. Grant the Service Account Token Creator role to the service account.

   To grant the role, find the Select a role list, then select Service Account Token Creator.

7. Click Continue.

8. In the Service account users role field, enter the identifier for the principal that will attach the service account to other resources, such as Compute Engine instances.

   This is typically the email address for a Google Account.

9. Click Done to finish creating the service account.

以設定全網域委派功能的服務帳戶進行驗證

如果您是管理身分政策的管理員，或是想為帳戶提供全網域權限，以便代表管理員管理 Google 政策，請以服務帳戶身分進行驗證，然後授予服務帳戶全網域權限。

如要瞭解如何設定全網域委派功能，請參閱「使用全網域委派功能控管 API 存取權」。詳閱最佳做法，降低使用全網域委派功能時可能發生的安全風險。

設定全網域委派後，即可使用應用程式預設憑證 (ADC) 進行驗證。使用 ADC 時，您的程式碼可以在開發或正式環境中執行，不必變更應用程式向 Google Cloud 服務和 API 進行驗證的方式。在程式碼中初始化憑證時，請使用憑證的 subject() 參數，指定服務帳戶執行的電子郵件地址。請確認電子郵件地址已取得服務帳戶的 Service Account User 角色 (如上所述)。例如：

AUTH_SCOPES = ['https://www.googleapis.com/auth/iam']
# The read and write scope of the API. Note that you must provide the
# required scope to the service account while setting up domain-wide 
# delegation.
POLICY_SCOPES = ['https://www.googleapis.com/auth/cloud-identity.policies']
TOKEN_URI = "https://accounts.google.com/o/oauth2/token"

_ADMIN_EMAIL = flags.DEFINE_string(
    name='admin_email',
    default=None,
    help='Administrator email to call as',
    required=True,
)

# Fetch application default credentials (ADC)
credentials, _ = google.auth.default(scopes=AUTH_SCOPES)

# Populate account information
request = requests.Request()
credentials.refresh(request)

# Create an IAM signer
signer = iam.Signer(request, credentials,
                    credentials.service_account_email)

# Create domain-wide delegated (DWD) credentials
delegated_credentials = service_account.Credentials(
    signer=signer,
    service_account_email=credentials.service_account_email,
    token_uri=TOKEN_URI,
    scopes=POLICY_SCOPES,
    subject=_ADMIN_EMAIL.value
)

如要在使用應用程式預設憑證時模擬服務帳戶，請使用 impersonate-service-account 標記。

gcloud auth application-default login --impersonate-service-account=<service_account_email>
--scopes=https://www.googleapis.com/auth/iam,https://www.googleapis.com/auth/cloud-identity.policies

如需呼叫 Policy API 的詳細程式碼範例 (包括驗證程式碼)，請參閱「列出及取得政策」。