Before you begin developing, you need to review the Chrome Policy API Terms of Service, create a Google Cloud project, enable the Chrome Policy API, and set up access credentials.
The Chrome Policy API respects admin role permissions and is governed by defined authorization scopes.
Step 1: Create a Google Cloud project
A Google Cloud project is required to use the Chrome Policy API. This project forms the basis for creating, enabling, and using all Google Cloud services, including managing APIs, enabling billing, adding and removing collaborators, and managing permissions.
If you don't already have a Google Cloud project you want to use, follow the steps below to create a Google Cloud project:
- Open the Google Cloud Console.
- At the top-left, click Menu > IAM & Admin > Create a Project.
- In the Project Name field, enter a descriptive name for your project.
- In the Location field, click Browse to display the organizations available for assignment. Choose the organization for which you want to manage Chrome policies, then click Select.
- Click Create. The console navigates to the Dashboard page and your project is created within a few minutes.
Step 2: Enable the Chrome Policy API
To enable the Chrome Policy API in your Google Cloud project:
- Open the Google Cloud Console.
- At the top, choose your Google Cloud project.
- At the top-left, click Menu > APIs & Services > Library.
- In the search field, enter "Chrome" and press Enter.
- In the list of search results, click Chrome Policy API.
- Click Enable.
- To enable more APIs, repeat steps 2–5.
Step 3: Create credentials
Requests to the Chrome Policy API can be authenticated as an end user or a robot service account.
Configure the OAuth consent screen
- Open the Google Cloud Console.
- At the top, choose your Google Cloud project.
- At the top-left, click Menu > APIs & Services > OAuth consent screen.
- Select the user type for your app, then click Create.
- Complete the app registration form, then click Save and Continue.
Click Add or remove scopes. A panel appears with a list of scopes for each API you've enabled in your Google Cloud project. Add one of the following authorization scopes:
https://www.googleapis.com/auth/chrome.management.policy
https://www.googleapis.com/auth/chrome.management.policy.readonly
The
readonly
scope doesn't allow any mutation operations.
Set up end user or service account authentication
Click an option below for detailed instructions:
Option 1: Authenticate as an end user with OAuth 2.0
- Open the Google Cloud Console.
- At the top, choose your Google Cloud project.
- At the top-left, click Menu > APIs & Services > Credentials.
- Click Create Credentials > OAuth client ID.
- Follow the steps to create the OAuth 2.0 credentials.
No special setup is required in the Admin console by the organization's Chrome admin for OAuth 2.0 authentication. Users of your app will need to have the required admin role permissions associated with their account and need to agree to the app's OAuth consent screen.
Tip: You can test your app in the OAuth Playground.
Option 2: Authenticate as a service account
A service account is a special kind of account used by an application, rather than a person. You can use a service account to access data or perform actions by the robot account itself, or to access data on behalf of users. For more details, refer to Understanding service accounts.
Create a service account & credentials
- Open the Google Cloud Console.
- At the top, choose your Google Cloud project.
- At the top-left, click Menu > APIs & Services > Credentials.
- Click Create Credentials > Service account.
- Enter service account name, then click Create and continue.
- Optional: Assign roles to your service account to grant access to your Google Cloud project's resources. For more details, refer to Granting, changing, and revoking access to resources.
- Click Continue.
- Optional: Enter users or groups that can manage and perform actions with this service account. For more details, refer to Managing service account impersonation.
- Click Done. After a few minutes, your new service account appears in the "Service Accounts" list. (You might need to refresh the page.)
- In the "Service Accounts" list, click the service account you created.
- Click Keys > Add keys > Create new key.
- Select JSON, then click Create.
Your new public/private key pair is generated and downloaded to your machine as a new file. This file is the only copy of this key. For information about how to store your key securely, see Managing service account keys.
Authorize the service account in the Admin console
If you choose to authenticate requests as a service account, the organization's Chrome administrator needs to perform additional steps in the Admin console to complete the process.
The Chrome admin can either assign a role to the service account directly with the required admin role permissions, or the Chrome admin can set up domain-wide delegation so the service account can impersonate users with proper permissions and act on their behalf.
To set up domain-wide delegation for your service account, the Chrome admin needs to follow these steps in the Admin console:
- Open the Admin console.
- At the top-left, click Menu > Security > Access and data control > API controls.
- Click Manage Domain Wide Delegation.
- Click Add new.
- In the "Client ID" field, paste the client ID associated with your service account. Learn how to find your service account's client ID.
- In the "OAuth Scopes" field, enter a comma-delimited list of the scopes required by the service account application. This is the same set of scopes defined when configuring the OAuth consent screen.
- Click Authorize.
Step 4: Test your app in the OAuth Playground
- Open the Google Cloud Console.
- At the top, choose your Google Cloud project.
- At the top-left, click Menu > APIs & Services > Credentials.
- Click Create Credentials > OAuth client ID.
- Click Application type > Web application.
- In the "Name" field, type a name for the credential. This name is only shown in the Cloud Console.
- For the time of testing, add
https://developers.google.com/oauthplayground
to "Authorized redirect URIs." You can remove this redirect URI from your app when done testing, if needed. - Click Create and copy the "client ID" and "client secret" to your clipboard.
- In a new tab, open the OAuth 2.0 Playground.
- At the top-right, click OAuth 2.0 configuration .
- Select Use your own OAuth credentials. Then, paste the "client ID" and "client secret" you copied in step 8 and click Close.
- At the left, follow the OAuth 2.0 Playground steps:
- For "Step 1: Select & authorize APIs," add
https://www.googleapis.com/auth/chrome.management.policy
and any other needed API scopes, then click Authorize APIs. - For "Step 2: Exchange authorization code for tokens," you can optionally select Auto-refresh the token before it expires.
- For "Step 3: Configure request to API," enter your Chrome Policy API request URI, modifying the "HTTP Method" and other settings, as needed. Example URL request:
https://chromepolicy.googleapis.com/v1/customers/my_customer/policySchemas?filter=chrome.printers
- For "Step 1: Select & authorize APIs," add
Step 5: Verify your app is trusted
An organization's admin can mark apps as trusted or blocked in the Admin console. For more details, see Control which third-party & internal apps access Google Workspace data.