This document describes how to authenticate to Dataform programmatically. How you authenticate to Dataform depends on the interface you use to access the API and the environment where your code is running.

For more information about Google Cloud authentication, see theAuthentication methods.

API access

Dataform supports programmatic access. You can access the API in the following ways:

• Client libraries
• REST

Client libraries

TheDataform client libraries provide high-level language support for authenticating to Dataform programmatically. To authenticate calls to Google Cloud APIs, client libraries supportApplication Default Credentials (ADC);the libraries look for credentials in a set of defined locations and use those credentialsto authenticate requests to the API. With ADC, you can makecredentials available to your application in a variety of environments, such as localdevelopment or production, without needing to modify your application code.

REST

You can authenticate tothe Dataform API by using your gcloud CLI credentials or by usingApplication Default Credentials. For more information about authentication for REST requests, seeAuthenticate for using REST. For information about the types of credentials, seegcloud CLI credentials and ADC credentials.

Set up authentication for Dataform

How you set up authentication depends on the environment where your code is running.

The following options for setting up authentication are the most commonly used. For more options and information about authentication, seeAuthentication methods.

For a local development environment

You can set up credentials for a local development environment in the following ways:

• User credentials for client libraries or third-party tools
• User credentials for REST requests from the command line
• Service account impersonation

Client libraries or third-party tools

Set upApplication Default Credentials (ADC) in your local environment:

1. Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:

   gcloudinit

   If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

2. If you're using a local shell, then create local authentication credentials for your user account:

   gcloudauthapplication-defaultlogin

   You don't need to do this if you're using Cloud Shell.

   If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

   A sign-in screen appears. After you sign in, your credentials are stored in the local credential file used by ADC.

For more information about working with ADC in a local environment, seeSet up ADC for a local development environment.

REST requests from the command line

When you make a REST request from the command line, you can use your gcloud CLI credentials by includinggcloud auth print-access-token as part of the command that sends the request.

The following example lists service accounts for the specified project. You can use the same pattern for any REST request.

Before using any of the request data, make the following replacements:

• PROJECT_ID: Your Google Cloud project ID.

To send your request, expand one of these options:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts" | Select-Object -Expand Content

For more information about authenticating using REST and gRPC, seeAuthenticate for using REST. For information about the difference between your local ADC credentials and your gcloud CLI credentials, seegcloud CLI authentication configuration and ADC configuration.

Service account impersonation

In most cases, you can use your user credentials to authenticate from a local development environment. If that is not feasible, or if you need to test the permissions assigned to a service account, you can use service account impersonation. You must have theiam.serviceAccounts.getAccessToken permission, which is included in theService Account Token Creator (roles/iam.serviceAccountTokenCreator) IAM role.

You can set up the gcloud CLI to use service account impersonation by using thegcloud config set command:

gcloudconfigsetauth/impersonate_service_accountSERVICE_ACCT_EMAIL

For select languages, you can use service account impersonation to create a local ADC file for use by client libraries. This approach is supported only for the Go, Java, Node.js, and Python client libraries—it is not supported for the other languages. To set up a local ADC file with service account impersonation, use the--impersonate-service-account flag with thegcloud auth application-default login command:

gcloudauthapplication-defaultlogin--impersonate-service-account=SERVICE_ACCT_EMAIL

For more information about service account impersonation, seeUse service account impersonation.

Access control for Dataform

After you authenticate to Dataform, you must be authorized to access Google Cloud resources. Dataform uses Identity and Access Management (IAM) for authorization.

For more information about the roles for Dataform, seeAccess control with IAM. For more information about IAM and authorization, seeIAM overview.

What's next

• Learn aboutGoogle Cloud authentication methods.
• See a list ofauthentication use cases.