서비스 계정

서비스 계정은 애플리케이션에서 OAuth 2.0을 통해 프로그래매틱 방식으로 Google API에 액세스하는 데 사용할 수 있는 Google 계정의 한 유형입니다. 이 경우 사람의 승인이 필요하지 않으며 대신 내 애플리케이션만 액세스할 수 있는 키 파일을 사용합니다.

서비스 계정에 대해 자세히 알아보기 전에 OAuth 2.0이 설치된 애플리케이션 흐름을 구현하는 대신 훨씬 더 간단하고 권장되는 방법을 고려해 보세요. 이 방식에서는 사용자가 갱신 토큰을 생성하도록 애플리케이션을 수동으로 승인해야 하지만, 토큰은 만료되지 않으므로 한 번만 승인하면 됩니다.

아직 읽고 계시나요? 다음 방법 중 하나로 서비스 계정을 구현할 수 있습니다.

  • 사용자가 서로 다른 도메인에 있는 경우 서비스 계정을 Campaign Manager 360 사용자로 사용하여 구현하세요. 이렇게 하면 각 계정에서 새 사용자 프로필을 만들고 모두 단일 서비스 계정에 연결하여 여러 대행사에서 소유한 여러 계정에 연결할 수 있습니다. 이는 Campaign Manager 360에서 서비스 계정을 사용할 때 선호되는 방법입니다.
  • 관리자가 소유한 단일 도메인에 사용자가 있는 경우 도메인 전체 위임을 구현합니다. 이 경우 G Suite에 등록된 도메인에 대한 관리자 액세스 권한이 있어야 합니다. G Suite 또는 도메인 구성에 관한 도움말은 G Suite 지원 페이지를 참고하세요.

기본 요건

Campaign Manager 360 사용자로 서비스 계정을 구현하려면 Campaign Manager 360 사용자 탭을 선택합니다. 도메인 전체 위임을 구현하려면 아래의 위임 탭을 선택합니다.

<ph type="x-smartling-placeholder">
</ph> <ph type="x-smartling-placeholder">
</ph>
Campaign Manager 360 사용자

API 액세스가 사용 설정된 Campaign Manager 360 계정에 액세스할 수 있어야 합니다.

를 통해 개인정보처리방침을 정의할 수 있습니다. <ph type="x-smartling-placeholder">
</ph>
위임
  1. API 액세스가 사용 설정된 Campaign Manager 360 계정에 액세스할 수 있어야 합니다.
  2. G Suite에 등록된 도메인에 대한 관리자 액세스 권한이 있어야 합니다.
  3. G Suite에 등록된 도메인의 계정 하나 이상에 Campaign Manager 360 사용자 프로필이 연결되어 있어야 합니다. 다른 도메인(예: gmail.com)의 계정에 연결된 사용자 프로필은 사용할 수 없습니다.

서비스 계정 구성 및 사용

Campaign Manager 360 사용자로 서비스 계정을 사용하여 구현하려면 Campaign Manager 360 사용자 탭을 선택합니다. 도메인 전체 위임을 구현하려면 아래의 위임 탭을 선택합니다.

<ph type="x-smartling-placeholder">
</ph> <ph type="x-smartling-placeholder">
</ph>
Campaign Manager 360 사용자
  1. Google API 콘솔에서 서비스 계정 키를 생성합니다.

    주의: 승인된 Google 서비스에 대한 액세스 권한을 서비스 계정에 부여하는 키 파일을 보호하는 것이 중요합니다.
  2. 사용자 액세스 관리 고객센터 도움말에 설명된 대로 Campaign Manager 360 사용자 프로필을 이전 단계에서 받은 서비스 계정 이메일과 연결합니다.
  3. 새로 만든 서비스 계정을 사용하여 애플리케이션에 서버 간 OAuth 2.0 흐름을 구현합니다. 자세한 내용은 섹션을 참고하세요.
를 통해 개인정보처리방침을 정의할 수 있습니다.
를 통해 개인정보처리방침을 정의할 수 있습니다. <ph type="x-smartling-placeholder">
</ph>
위임
  1. Google API 콘솔에서 서비스 계정 키를 생성합니다.

    주의: 승인된 Google 서비스에 대한 액세스 권한을 서비스 계정에 부여하는 키 파일을 보호하는 것이 중요합니다. G Suite의 도메인 수준 제어를 통해 서비스 계정이 도메인에 있는 모든 사용자를 가장할 수 있기 때문에 도메인 전체 위임 흐름의 경우에 특히 그렇습니다. 또한 서비스 계정에서 하나의 Google API에만 액세스하도록 허용하는 것도 좋습니다 (다음 단계에서 설명하는 '범위' 필드 사용). 이는 서비스 계정의 키 파일이 도용된 경우 공격자가 액세스할 수 있는 데이터의 양을 완화하기 위한 예방 조치입니다.
  2. 이 서비스 계정에 도메인 전체 권한을 위임하여 도메인 내의 사용자를 가장할 수 있도록 허용합니다. 메시지가 표시되면 다음 API 범위를 입력합니다.
    범위 의미
    https://www.googleapis.com/auth/dfatrafficking Campaign Manager 360 트래피킹에 대한 읽기/쓰기 액세스 권한입니다.
    https://www.googleapis.com/auth/dfareporting Campaign Manager 360 보고에 대한 읽기/쓰기 액세스 권한입니다.
    https://www.googleapis.com/auth/ddmconversions Campaign Manager 360 오프라인 전환에 대한 읽기 및 쓰기 액세스 권한입니다.
  3. 새로 만든 서비스 계정을 사용하여 애플리케이션에 서버 간 OAuth 2.0 흐름을 구현합니다. 자세한 내용은 섹션을 참고하세요. 가장할 계정을 제공해야 하며 이 계정은 이전 단계에서 도메인 전체 권한을 위임받은 도메인에 속해야 합니다.

G Suite 또는 도메인 구성에 관한 도움말은 G Suite 지원 페이지를 참고하세요.

C#

/*
 * Copyright 2015 Google Inc
 *
 * Licensed under the Apache License, Version 2.0(the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
*/

using Google.Apis.Auth.OAuth2;
using Google.Apis.Dfareporting.v4;
using Google.Apis.Dfareporting.v4.Data;
using Google.Apis.Json;
using Google.Apis.Services;
using System;
using System.Collections.Generic;
using System.IO;

namespace DfaReporting.Samples {
  /// <summary>
  /// This example demonstrates how to authenticate and make a basic request using a service
  /// account.
  /// </summary>
  class AuthenticateUsingServiceAccount : SampleBase {
    /// <summary>
    /// The OAuth 2.0 scopes to request.
    /// </summary>
    private static readonly IEnumerable<string> OAuthScopes = new[] {
      DfareportingService.Scope.Dfareporting
    };

    /// <summary>
    /// Returns a description about the code example.
    /// </summary>
    public override string Description {
      get {
        return "This example demonstrates how to authenticate and make a basic request" +
               " using a service account.\n";
      }
    }

    /// <summary>
    /// Main method, to run this code example as a standalone application.
    /// </summary>
    /// <param name="args">The command line arguments.</param>
    public static void Main(string[] args) {
      SampleBase codeExample = new AuthenticateUsingServiceAccount();
      Console.WriteLine(codeExample.Description);
      codeExample.Run(null);
    }

    /// <summary>
    /// Run the code example.
    /// </summary>
    /// <param name="service">Unused</param>
    public override void Run(DfareportingService service) {
      string pathToJsonFile = _T("ENTER_PATH_TO_JSON_FILE_HERE");

      // An optional Google account email to impersonate. Only applicable to service accounts which
      // have enabled domain-wide delegation and wish to make API requests on behalf of an account
      // within their domain. Setting this field will not allow you to impersonate a user from a
      // domain you don't own (e.g., gmail.com).
      string emailToImpersonate = _T("");

      // Build service account credential.
      ServiceAccountCredential credential =
          getServiceAccountCredential(pathToJsonFile, emailToImpersonate);

      // Create a Dfareporting service object.
      //
      // Note: application name should be replaced with a value that identifies your application.
      service = new DfareportingService(
          new BaseClientService.Initializer {
            HttpClientInitializer = credential,
            ApplicationName = "C# service account sample"
          }
      );

      // Retrieve and print all user profiles for the current authorized user.
      UserProfileList profiles = service.UserProfiles.List().Execute();

      foreach (UserProfile profile in profiles.Items) {
        Console.WriteLine("Found user profile with ID {0} and name \"{1}\".",
            profile.ProfileId, profile.UserName);
      }
    }

    private ServiceAccountCredential getServiceAccountCredential(String pathToJsonFile,
        String emailToImpersonate) {
      // Load and deserialize credential parameters from the specified JSON file.
      JsonCredentialParameters parameters;
      using (Stream json = new FileStream(pathToJsonFile, FileMode.Open, FileAccess.Read)) {
        parameters = NewtonsoftJsonSerializer.Instance.Deserialize<JsonCredentialParameters>(json);
      }

      // Create a credential initializer with the correct scopes.
      ServiceAccountCredential.Initializer initializer =
          new ServiceAccountCredential.Initializer(parameters.ClientEmail) {
            Scopes = OAuthScopes
          };

      // Configure impersonation (if applicable).
      if (!String.IsNullOrEmpty(emailToImpersonate)) {
        initializer.User = emailToImpersonate;
      }

      // Create a service account credential object using the deserialized private key.
      ServiceAccountCredential credential =
          new ServiceAccountCredential(initializer.FromPrivateKey(parameters.PrivateKey));

      return credential;
    }
  }
}

자바

// Copyright 2014 Google Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package com.google.api.services.samples.dfareporting.auth;

import com.google.api.client.auth.oauth2.Credential;
import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.services.dfareporting.Dfareporting;
import com.google.api.services.dfareporting.DfareportingScopes;
import com.google.api.services.dfareporting.model.UserProfileList;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableSet;
import java.io.FileInputStream;

/**
 * This example demonstrates how to authenticate and make a basic request using a service account.
 */
public class AuthenticateUsingServiceAccount {
  private static final String PATH_TO_JSON_FILE = "ENTER_PATH_TO_JSON_FILE_HERE";

  /**
   * An optional Google account email to impersonate. Only applicable to service accounts which have
   * enabled domain-wide delegation and wish to make API requests on behalf of an account within
   * their domain. Setting this field will not allow you to impersonate a user from a domain you
   * don't own (e.g., gmail.com).
   */
  private static final String EMAIL_TO_IMPERSONATE = "";

  // The OAuth 2.0 scopes to request.
  private static final ImmutableSet<String> OAUTH_SCOPES =
      ImmutableSet.of(DfareportingScopes.DFAREPORTING);

  private static Credential getServiceAccountCredential(
      String pathToJsonFile, String emailToImpersonate) throws Exception {
    // Generate a credential object from the specified JSON file.
    GoogleCredential credential = GoogleCredential.fromStream(new FileInputStream(pathToJsonFile));

    // Update the credential object with appropriate scopes and impersonation info (if applicable).
    if (Strings.isNullOrEmpty(emailToImpersonate)) {
      credential = credential.createScoped(OAUTH_SCOPES);
    } else {
      credential =
          new GoogleCredential.Builder()
              .setTransport(credential.getTransport())
              .setJsonFactory(credential.getJsonFactory())
              .setServiceAccountId(credential.getServiceAccountId())
              .setServiceAccountPrivateKey(credential.getServiceAccountPrivateKey())
              .setServiceAccountScopes(OAUTH_SCOPES)
              // Set the email of the user you are impersonating (this can be yourself).
              .setServiceAccountUser(emailToImpersonate)
              .build();
    }

    return credential;
  }

  public static void runExample(Dfareporting reporting) throws Exception {
    // Retrieve and print all user profiles for the current authorized user.
    UserProfileList profiles = reporting.userProfiles().list().execute();
    for (int i = 0; i < profiles.getItems().size(); i++) {
      System.out.printf("%d) %s%n", i + 1, profiles.getItems().get(i).getUserName());
    }
  }

  public static void main(String[] args) throws Exception {
    // Build service account credential.
    Credential credential = getServiceAccountCredential(PATH_TO_JSON_FILE, EMAIL_TO_IMPERSONATE);

    // Create a Dfareporting client instance.
    //
    // Note: application name below should be replaced with a value that identifies your
    // application. Suggested format is "MyCompany-ProductName/Version.MinorVersion".
    Dfareporting reporting =
        new Dfareporting.Builder(credential.getTransport(), credential.getJsonFactory(), credential)
            .setApplicationName("dfareporting-java-service-acct-sample")
            .build();

    runExample(reporting);
  }
}

PHP

<?php
/*
 * Copyright 2017 Google Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

require_once dirname(__DIR__) . '/vendor/autoload.php';

/**
 * This example demonstrates how to authenticate and make a basic request using
 * a service account.
 *
 * This example is written to be run as a command line application, not as a
 * webpage. An optional Google account email to impersonate may be specified as
 * follows:
 *
 *     AuthenticateUsingServiceAccount.php /path/to/client_secrets.json <email>
 *
 * This optional flag only applies to service accounts which have domain-wide
 * delegation enabled and wish to make API requests on behalf of an account
 * within that domain. Using this flag will not allow you to impersonate a user
 * from a domain that you don't own (e.g., gmail.com).
 */
class AuthenticateUsingServiceAccount
{
    // The OAuth 2.0 scopes to request.
    private static $OAUTH_SCOPES = [
        Google_Service_Dfareporting::DFAREPORTING
    ];

    public function run($pathToJsonFile, $email = null)
    {
        // Create an authenticated client object.
        $client = $this->createAuthenticatedClient($pathToJsonFile, $email);

        // Create a Dfareporting service object.
        $service = new Google_Service_Dfareporting($client);

        $this->getUserProfiles($service);
    }

    private function createAuthenticatedClient($pathToJsonFile, $email)
    {
        // Create a Google_Client instance.
        //
        // Note: application name should be replaced with a value that identifies
        // your application. Suggested format is "MyCompany-ProductName".
        $client = new Google_Client();
        $client->setApplicationName('PHP service account sample');
        $client->setScopes(self::$OAUTH_SCOPES);

        // Load the service account credentials.
        $client->setAuthConfig($pathToJsonFile);

        // Configure impersonation (if applicable).
        if (!is_null($email)) {
            $client->setSubject($email);
        }

        return $client;
    }

    private function getUserProfiles($service)
    {
        // Retrieve and print all user profiles for the current authorized user.
        $result = $service->userProfiles->listUserProfiles();
        foreach ($result['items'] as $userProfile) {
            printf(
                "User profile \"%s\" (ID: %d) found for account %d.\n",
                $userProfile->getUserName(),
                $userProfile->getProfileId(),
                $userProfile->getAccountId()
            );
        }
    }
}

if ($argc < 2 || $argc >= 4) {
    printf(
        "Usage: %s /path/to/client_secrets.json [email_to_impersonate]\n",
        $argv[0]
    );
} else {
    $sample = new AuthenticateUsingServiceAccount();

    if ($argc == 2) {
        $sample->run($argv[1]);
    } else {
        $sample->run($argv[1], $argv[2]);
    }
}

Python

#!/usr/bin/python
#
# Copyright 2015 Google Inc. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

"""This example demonstrates how to authenticate using a service account.

An optional Google account email to impersonate may be specified as follows:
    authenticate_using_service_account.py <path_to_json_file> -i <email>

This optional flag only applies to service accounts which have domain-wide
delegation enabled and wish to make API requests on behalf of an account
within that domain. Using this flag will not allow you to impersonate a
user from a domain you don't own (e.g., gmail.com).
"""

import argparse
import sys

from googleapiclient import discovery
import httplib2
from oauth2client import client
from oauth2client import tools
from oauth2client.service_account import ServiceAccountCredentials

# Declare command-line flags.
argparser = argparse.ArgumentParser(add_help=False)
argparser.add_argument(
    'path_to_service_account_json_file',
    help='Path to the service account JSON file to use for authenticating.')
argparser.add_argument(
    '-i',
    '--impersonation_email',
    help='Google account email to impersonate.')

# The OAuth 2.0 scopes to request.
OAUTH_SCOPES = ['https://www.googleapis.com/auth/dfareporting']


def main(argv):
  # Retrieve command line arguments.
  parser = argparse.ArgumentParser(
      description=__doc__,
      formatter_class=argparse.RawDescriptionHelpFormatter,
      parents=[tools.argparser, argparser])
  flags = parser.parse_args(argv[1:])

  # Authenticate using the supplied service account credentials
  http = authenticate_using_service_account(
      flags.path_to_service_account_json_file,
      flags.impersonation_email)

  # Construct a service object via the discovery service.
  service = discovery.build('dfareporting', 'v4', http=http)

  try:
    # Construct the request.
    request = service.userProfiles().list()

    # Execute request and print response.
    response = request.execute()

    for profile in response['items']:
      print('Found user profile with ID %s and user name "%s".' %
            (profile['profileId'], profile['userName']))

  except client.AccessTokenRefreshError:
    print('The credentials have been revoked or expired, please re-run the '
          'application to re-authorize')


def authenticate_using_service_account(path_to_service_account_json_file,
                                       impersonation_email):
  """Authorizes an httplib2.Http instance using service account credentials."""
  # Load the service account credentials from the specified JSON keyfile.
  credentials = ServiceAccountCredentials.from_json_keyfile_name(
      path_to_service_account_json_file,
      scopes=OAUTH_SCOPES)

  # Configure impersonation (if applicable).
  if impersonation_email:
    credentials = credentials.create_delegated(impersonation_email)

  # Use the credentials to authorize an httplib2.Http instance.
  http = credentials.authorize(httplib2.Http())

  return http


if __name__ == '__main__':
  main(sys.argv)

Ruby

#!/usr/bin/env ruby

#
# Copyright:: Copyright 2016, Google Inc. All Rights Reserved.
#
# License:: Licensed under the Apache License, Version 2.0 (the "License");
#           you may not use this file except in compliance with the License.
#           You may obtain a copy of the License at
#
#           http://www.apache.org/licenses/LICENSE-2.0
#
#           Unless required by applicable law or agreed to in writing, software
#           distributed under the License is distributed on an "AS IS" BASIS,
#           WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
#           implied.
#           See the License for the specific language governing permissions and
#           limitations under the License.
#
# This example demonstrates how to authenticate using a service account.
#
# An optional Google account email to impersonate may be specified as follows:
#    authenticate_using_service_account.rb <path_to_json_file> --i <email>
#
# This optional flag only applies to service accounts which have domain-wide
# delegation enabled and wish to make API requests on behalf of an account
# within that domain. Using this flag will not allow you to impersonate a
# user from a domain you don't own (e.g., gmail.com).

require 'google/apis/dfareporting_v4'
require 'googleauth'
require 'optparse'

API_NAMESPACE = Google::Apis::DfareportingV4

def authenticate_using_service_account(path_to_json_file, impersonation_email)
  # Create a Dfareporting service object.
  #
  # Note: application name should be replaced with a value that identifies
  # your application. Suggested format is "MyCompany-ProductName".
  service = API_NAMESPACE::DfareportingService.new
  service.client_options.application_name = 'Ruby service account sample'
  service.client_options.application_version = '1.0.0'

  # Generate an authorization object from the specified JSON file.
  File.open(path_to_json_file, 'r+') do |json|
    service.authorization =
      Google::Auth::ServiceAccountCredentials.make_creds(
        json_key_io: json,
        scope: [API_NAMESPACE::AUTH_DFAREPORTING]
      )
  end

  # Configure impersonation (if applicable).
  service.authorization.sub = impersonation_email unless
    impersonation_email.nil?

  service
end

def get_userprofiles(service)
  # Get all user profiles.
  result = service.list_user_profiles

  # Display results.
  result.items.each do |profile|
    puts format(
      'User profile with ID %d and name "%s" was found for account %d.',
      profile.profile_id, profile.user_name, profile.account_id
    )
  end
end

if $PROGRAM_NAME == __FILE__
  # Retrieve command line arguments.
  impersonation_email = nil
  optparse = OptionParser.new do |opts|
    opts.banner = format('Usage: %s path_to_json_file [options]', $PROGRAM_NAME)
    opts.on_tail('-i', '--impersonate EMAIL',
      'Google account email to impersonate') do |email|
      impersonation_email = email
    end
  end
  optparse.parse!

  if ARGV.empty?
    puts optparse
    exit(-1)
  end

  # Authenticate and initialize API service using service account.
  service = authenticate_using_service_account(ARGV.shift, impersonation_email)

  get_userprofiles(service)
end