Authorizing your requests to annotatePaths
requires a service account on
the allowlist for the associated Google Cloud project. You can then impersonate
the service account and generate an OAuth token, which is passed as a header in
the requests.
Set up a service account
Because only service accounts in the allowlist are permitted
to call annotatePaths
, you must act as a service account through service
account impersonation.
Follow the instructions in Creating a service account. The service account email has the following general format:
SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com
Send the service account email to your Google business representative. Your representative adds this service account to an allowlist authorized to call
annotatePaths
.
Add users who can impersonate the service account
Add a user who is authorized to impersonate the service account:
gcloud iam service-accounts add-iam-policy-binding \
SERVICE_ACCOUNT \
--member=user:USER_EMAIL \
--role=roles/iam.serviceAccountTokenCreator \
--project=PROJECT_ID
You can also add users authorized to impersonate the service account through the Cloud Console. See Create a service account.
Troubleshooting if the command fails
If this command fails, ask a project owner to either run the command for you,
or to grant you roles/iam.serviceAccountAdmin
role on the
service account by running:
gcloud iam service-accounts add-iam-policy-binding \ SERVICE_ACCOUNT \ --member=USER_EMAIL \ --role=roles/iam.serviceAccountAdmin \ --project=PROJECT_ID
Generate a short-lived OAuth token
If you want to set up annotatePaths
using an OAuth token but don't
have an environment setup to generate tokens, use the procedure in this section
to get a short-lived OAuth token using the gcloud CLI. (The token expires in an
hour.) For more details, see Create short-lived credentials for a service
account. The steps that follow are a shortened view of these
instructions.
Sign in to gcloud:
gcloud auth login
gcloud opens a browser window and prompts you for permission.
Set your project:
gcloud config set project PROJECT_ID
Get a short-lived access token using print-access-token:
gcloud auth print-access-token
This command returns a token. Copy the token and insert it into YOUR_ACCESS_TOKEN in the following command:
curl -X POST \ https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/SERVICE_ACCOUNT:generateAccessToken \ -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{"scope": ["https://www.googleapis.com/auth/cloud-platform"],"lifetime": "3600s"}'
The CLI returns the short-lived OAuth access token that you can now use in making requests to
annotatePaths
.
(Optional) Check the OAuth token permissions
If you experience authorization issues, you can check your OAuth token permissions by inserting the token into the following URL, customizing OAUTH_TOKEN. (Paste this into your address bar.)
https://oauth2.googleapis.com/tokeninfo?access_token=OAUTH_TOKEN
The response should include a scope of
https://www.googleapis.com/auth/cloud-platform
. If it doesn't, make sure you
set the scope properly as shown in the preceding section.
Use OAuth in production environments
For instructions on using OAuth in a production environment, see Authentication at Google.
Troubleshooting
If your request returns an error message about end-user credentials not being supported by this API, see User credentials not working.