This product or feature is in the pre-GA Experimental launch stage (pre-GA). Pre-GA products and features might have limited support, and changes to pre-GA products and features might not be compatible with other pre-GA versions. Pre-GA Offerings are covered by the Google Maps Platform Service Specific Terms. For more information, see the launch stage descriptions.

Use OAuth (Automotive)

Authorizing your requests to annotatePaths requires a service account on the allowlist for the associated Google Cloud project. You can then impersonate the service account and generate an OAuth token, which is passed as a header in the requests.

Set up a service account

Because only service accounts in the allowlist are permitted to call annotatePaths, you must act as a service account through service account impersonation.

Follow the instructions in Creating a service account. The service account email has the following general format:
```
SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com
```
Send the service account email to your Google business representative. Your representative adds this service account to an allowlist authorized to call annotatePaths.

Add users who can impersonate the service account

Add a user who is authorized to impersonate the service account:

gcloud iam service-accounts add-iam-policy-binding \
    SERVICE_ACCOUNT \
    --member=user:USER_EMAIL \
    --role=roles/iam.serviceAccountTokenCreator \
    --project=PROJECT_ID

You can also add users authorized to impersonate the service account through the Cloud Console. See Create a service account.

Troubleshooting if the command fails

If this command fails, ask a project owner to either run the command for you, or to grant you roles/iam.serviceAccountAdmin role on the service account by running:

gcloud iam service-accounts add-iam-policy-binding \
   SERVICE_ACCOUNT \
    --member=USER_EMAIL \
    --role=roles/iam.serviceAccountAdmin \
    --project=PROJECT_ID

Generate a short-lived OAuth token

If you want to set up annotatePaths using an OAuth token but don't have an environment setup to generate tokens, use the procedure in this section to get a short-lived OAuth token using the gcloud CLI. (The token expires in an hour.) For more details, see Create short-lived credentials for a service account. The steps that follow are a shortened view of these instructions.

Sign in to gcloud:
```
gcloud auth login
```
gcloud opens a browser window and prompts you for permission.
Set your project:
```
gcloud config set project PROJECT_ID
```

Get a short-lived access token using print-access-token:

gcloud auth print-access-token

This command returns a token. Copy the token and insert it into YOUR_ACCESS_TOKEN in the following command:

curl -X POST \
https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/SERVICE_ACCOUNT:generateAccessToken \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json; charset=utf-8" \
-d '{"scope": ["https://www.googleapis.com/auth/cloud-platform"],"lifetime": "3600s"}'

The CLI returns the short-lived OAuth access token that you can now use in making requests to annotatePaths.

(Optional) Check the OAuth token permissions

If you experience authorization issues, you can check your OAuth token permissions by inserting the token into the following URL, customizing OAUTH_TOKEN. (Paste this into your address bar.)

https://oauth2.googleapis.com/tokeninfo?access_token=OAUTH_TOKEN

The response should include a scope of https://www.googleapis.com/auth/cloud-platform. If it doesn't, make sure you set the scope properly as shown in the preceding section.

Use OAuth in production environments

For instructions on using OAuth in a production environment, see Authentication at Google.

Troubleshooting

If your request returns an error message about end-user credentials not being supported by this API, see User credentials not working.