Python quickstart for customers using a service account
Stay organized with collections
Save and categorize content based on your preferences.
Follow the steps in this quickstart guide, and in about 10 minutes you have
a simple Python command-line app that makes requests to the zero-touch
enrollment customer API using a service account.
Prerequisites
To run this quickstart, you need:
A service account, that's linked to you zero-touch enrollment customer
account. See Get
started.
Use this
wizard to create or select a project in the Google Developers Console and
automatically turn on the API. Click Continue, then Go to credentials
.
Set What data will you be accessing? to Application data.
Click Next. You should be prompted to create a service
account.
Give a descriptive name for Service account name.
Note the Service account ID (it looks like an email address) because you'll
use it later.
Set Role to Service Accounts > Service Account User.
Click Done to finish creating the service account.
Click the email address for the service account that you created.
Click **Keys**.
Click **Add key**, then click **Create new key**.
For **Key type**, select **JSON**.
Click Create and the private key downloads to your computer.
Click **Close**.
Move the file to your working directory and rename it service_account_key.json.
Step 2: Install the Google client library
Run the following command to install the library using pip:
See the library's installation
page for different installation
options.
Step 3: Set up the sample
Create a file named quickstart.py in your working directory. Copy in the
following code and save the file.
#!/usr/bin/env python# -*- coding: utf-8 -*-"""Zero-touch enrollment quickstart sample.This script forms the quickstart introduction to the zero-touch enrollemntcustomer API. To learn more, visit https://developer.google.com/zero-touch"""importsysfromapiclientimportdiscoveryimporthttplib2fromoauth2client.service_accountimportServiceAccountCredentials# A single auth scope is used for the zero-touch enrollment customer API.SCOPES=['https://www.googleapis.com/auth/androidworkzerotouchemm']SERVICE_ACCOUNT_KEY_FILE='service_account_key.json'defget_credential():"""Creates a Credential object with the correct OAuth2 authorization. Uses the service account key stored in SERVICE_ACCOUNT_KEY_FILE. Returns: Credentials, the user's credential. """credential=ServiceAccountCredentials.from_json_keyfile_name(SERVICE_ACCOUNT_KEY_FILE,SCOPES)ifnotcredentialorcredential.invalid:print('Unable to authenticate using service account key.')sys.exit()returncredentialdefget_service():"""Creates a service endpoint for the zero-touch enrollment API. Builds and returns an authorized API client service for v1 of the API. Use the service endpoint to call the API methods. Returns: A service Resource object with methods for interacting with the service. """http_auth=get_credential().authorize(httplib2.Http())returndiscovery.build('androiddeviceprovisioning','v1',http=http_auth)defmain():"""Runs the zero-touch enrollment quickstart app. """# Create a zero-touch enrollment API service endpoint.service=get_service()# Get the customer's account. Because a customer might have more# than one, limit the results to the first account found.response=service.customers().list(pageSize=1).execute()if'customers'notinresponse:# No accounts found for the user. Confirm the Google Account# that authorizes the request can access the zero-touch portal.print('No zero-touch enrollment account found.')sys.exit()customer_account=response['customers'][0]['name']# Send an API request to list all the DPCs available using the customer# account.results=service.customers().dpcs().list(parent=customer_account).execute()# Print out the details of each DPC.fordpcinresults['dpcs']:# Some DPCs may not have a name, so replace with a marker.if'dpcName'indpc:dpcName=dpc['dpcName']else:dpcName="-"print('Name:{0} APK:{1}'.format(dpcName,dpc['packageName']))if__name__=='__main__':main()
Step 4: Add your service account key
Copy the service_account_key.json you downloaded when you created your
service account into your working directory.
Step 5: Run the sample
Use your operating system's help to run the script in the file. On UNIX and Mac
computers, run the command below in your terminal:
pythonquickstart.py
Notes
Avoid sharing your service_account_key.json file with anyone. Be careful
not to include it in source code repositories. You can read more advice on
handling service account secrets.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eThis quickstart guide helps you create a simple Python command-line app that interacts with the zero-touch enrollment customer API using a service account in about 10 minutes.\u003c/p\u003e\n"],["\u003cp\u003eYou will need a service account linked to your zero-touch enrollment customer account, Python 3.0 or greater, the pip package management tool, internet access, and a web browser to run this guide.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves enabling the zero-touch enrollment API, installing the Google client library, setting up the sample code, and adding your downloaded service account key file, along with running the sample file.\u003c/p\u003e\n"],["\u003cp\u003eThe sample code demonstrates how to authenticate using a service account key, create a service endpoint for the zero-touch enrollment API, retrieve customer account information, and list available device policy controllers (DPCs).\u003c/p\u003e\n"],["\u003cp\u003eIt is crucial to manage the \u003ccode\u003eservice_account_key.json\u003c/code\u003e file securely, avoiding sharing or including it in source code repositories, as it poses a security risk if mishandled.\u003c/p\u003e\n"]]],["First, enable the zero-touch enrollment API and create a service account, noting its ID. Assign the \"Service Account User\" role, generate a JSON key, download it, and rename it to `service_account_key.json`. Next, install the Google client library using `pip`. Create `quickstart.py`, copy the provided Python code, and save it. Place the renamed key file into your working directory. Finally, run the `quickstart.py` script via the command line.\n"],null,["# Python quickstart for customers using a service account\n\nFollow the steps in this quickstart guide, and in about 10 minutes you have\na simple Python command-line app that makes requests to the zero-touch\nenrollment customer API using a service account.\n\nPrerequisites\n-------------\n\nTo run this quickstart, you need:\n\n- A service account, that's linked to you zero-touch enrollment customer account. See [Get\n started](/zero-touch/guides/customer/service-accounts).\n- Python 3.0 or greater.\n- The [pip](https://pypi.python.org/pypi/pip) package management tool.\n- Access to the internet and a web browser.\n\nStep 1: Turn on the zero-touch enrollment API\n---------------------------------------------\n\n1. Use [this\n wizard](https://console.developers.google.com/start/api?id=androiddeviceprovisioning.googleapis.com) to create or select a project in the Google Developers Console and automatically turn on the API. Click **Continue** , then **Go to credentials**.\n2. Set **What data will you be accessing?** to *Application data*.\n3. Click **Next**. You should be prompted to create a service account.\n4. Give a descriptive name for **Service account name**.\n5. Note the **Service account ID** (it looks like an email address) because you'll use it later.\n6. Set **Role** to *Service Accounts \\\u003e Service Account User*.\n7. Click **Done** to finish creating the service account.\n8. Click the email address for the service account that you created.\n9. Click \\*\\*Keys\\*\\*.\n10. Click \\*\\*Add key\\*\\*, then click \\*\\*Create new key\\*\\*.\n11. For \\*\\*Key type\\*\\*, select \\*\\*JSON\\*\\*.\n12. Click **Create** and the private key downloads to your computer.\n13. Click \\*\\*Close\\*\\*.\n14. Move the file to your working directory and rename it `service_account_key.json`.\n\n| **Warning:** Service account keys can become a security risk if not managed carefully. For advice see [best practices for managing API keys](https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys).\n\nStep 2: Install the Google client library\n-----------------------------------------\n\nRun the following command to install the library using pip: \n\n pip install --upgrade google-api-python-client oauth2client\n\nSee the library's [installation\npage](/api-client-library/python/start/installation) for different installation\noptions.\n\nStep 3: Set up the sample\n-------------------------\n\nCreate a file named `quickstart.py` in your working directory. Copy in the\nfollowing code and save the file. \n\n```python\n#!/usr/bin/env python\n# -*- coding: utf-8 -*-\n\"\"\"Zero-touch enrollment quickstart sample.\n\nThis script forms the quickstart introduction to the zero-touch enrollemnt\ncustomer API. To learn more, visit https://developer.google.com/zero-touch\n\"\"\"\n\nimport sys\nfrom apiclient import discovery\nimport httplib2\nfrom oauth2client.service_account import ServiceAccountCredentials\n\n# A single auth scope is used for the zero-touch enrollment customer API.\nSCOPES = ['https://www.googleapis.com/auth/androidworkzerotouchemm']\nSERVICE_ACCOUNT_KEY_FILE = 'service_account_key.json'\n\n\ndef get_credential():\n \"\"\"Creates a Credential object with the correct OAuth2 authorization.\n\n Uses the service account key stored in SERVICE_ACCOUNT_KEY_FILE.\n\n Returns:\n Credentials, the user's credential.\n \"\"\"\n credential = ServiceAccountCredentials.from_json_keyfile_name(\n SERVICE_ACCOUNT_KEY_FILE, SCOPES)\n\n if not credential or credential.invalid:\n print('Unable to authenticate using service account key.')\n sys.exit()\n return credential\n\n\ndef get_service():\n \"\"\"Creates a service endpoint for the zero-touch enrollment API.\n\n Builds and returns an authorized API client service for v1 of the API. Use\n the service endpoint to call the API methods.\n\n Returns:\n A service Resource object with methods for interacting with the service.\n \"\"\"\n http_auth = get_credential().authorize(httplib2.Http())\n return discovery.build('androiddeviceprovisioning', 'v1', http=http_auth)\n\n\ndef main():\n \"\"\"Runs the zero-touch enrollment quickstart app.\n \"\"\"\n # Create a zero-touch enrollment API service endpoint.\n service = get_service()\n\n # Get the customer's account. Because a customer might have more\n # than one, limit the results to the first account found.\n response = service.customers().list(pageSize=1).execute()\n\n if 'customers' not in response:\n # No accounts found for the user. Confirm the Google Account\n # that authorizes the request can access the zero-touch portal.\n print('No zero-touch enrollment account found.')\n sys.exit()\n customer_account = response['customers'][0]['name']\n\n # Send an API request to list all the DPCs available using the customer\n # account.\n results = service.customers().dpcs().list(parent=customer_account).execute()\n\n # Print out the details of each DPC.\n for dpc in results['dpcs']:\n # Some DPCs may not have a name, so replace with a marker.\n if 'dpcName' in dpc:\n dpcName = dpc['dpcName']\n else:\n dpcName = \"-\"\n print('Name:{0} APK:{1}'.format(dpcName, dpc['packageName']))\n\n\nif __name__ == '__main__':\n main()\n```\n\nStep 4: Add your service account key\n------------------------------------\n\nCopy the `service_account_key.json` you downloaded when you created your\nservice account into your working directory.\n\nStep 5: Run the sample\n----------------------\n\nUse your operating system's help to run the script in the file. On UNIX and Mac\ncomputers, run the command below in your terminal: \n\n python quickstart.py\n\nNotes\n-----\n\n- Avoid sharing your `service_account_key.json` file with anyone. Be careful not to include it in source code repositories. You can read more advice on [handling service account secrets](https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys).\n\nLearn more\n----------\n\n- [Google Developers Console help documentation](/console/help/new)\n- [Google APIs Client for Python documentation](/api-client-library/python)\n- [pip User Guide](https://pip.pypa.io/en/stable/user_guide/)"]]