AI-generated Key Takeaways
-
Service accounts are the recommended authentication method for integrating with the SAS Portal API, requiring the creation of a service account with a JSON key and granting it the "Project Owner" role.
-
Authentication to the SAS Portal API is done using a Bearer token obtained through the
gcloudcommand-line tool by activating the service account and printing an access token. -
When calling the API, include the Bearer token in the
Authorizationheader of your request along with theX-Goog-User-Projectheader specifying your Google Cloud Project ID.
We strongly recommend that you use a service account for authentication when you integrate with the SAS Portal API. If necessary, create a service account. Be sure to select JSON as your key type when you create your service account key. Once complete, your service account key is downloaded to your browser's default location. Furthermore, be sure to grant the "Project Owner" role to the service account.
Next, you need to provide your service account authentication as a Bearer token. If you call the
SAS Portal API directly, such as by making an HTTP request with cURL, you pass your
authentication as a Bearer token in an Authorization header. To obtain a Bearer token
with your service account, follow these steps:
-
Install the
gcloudcommand line tool. -
Authenticate to your service account. In the following command, replace ${KEY_FILE} with the path to your service account key file:
gcloud auth activate-service-account --key-file ${KEY_FILE}
-
Use your service account to obtain an authorization token:
gcloud auth print-access-token
The command returns an access token value.
-
When you use the API, pass the token value as a Bearer token in an
Authorizationheader. See the following example:curl -X GET -H "X-Goog-User-Project: ${CLIENT_PROJECT}" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${TOKEN}" \ "https://sasportal.googleapis.com/v1alpha1/customers"
Set ${CLIENT_PROJECT} to the ID of the Google Cloud Project from which you make the requests, and then set ${TOKEN} to the authorization token.