Python quickstart for customers using a service account
Stay organized with collections
Save and categorize content based on your preferences.
Follow the steps in this quickstart guide, and in about 10 minutes you have
a simple Python command-line app that makes requests to the zero-touch
enrollment customer API using a service account.
Prerequisites
To run this quickstart, you need:
- A service account, that's linked to you zero-touch enrollment customer
account. See Get
started.
- Python 3.0 or greater.
- The pip package management
tool.
- Access to the internet and a web browser.
Step 1: Turn on the zero-touch enrollment API
- Use this
wizard to create or select a project in the Google Developers Console and
automatically turn on the API. Click Continue, then Go to credentials
.
- Set What data will you be accessing? to Application data.
- Click Next. You should be prompted to create a service
account.
- Give a descriptive name for Service account name.
- Note the Service account ID (it looks like an email address) because you'll
use it later.
- Set Role to Service Accounts > Service Account User.
- Click Done to finish creating the service account.
- Click the email address for the service account that you created.
- Click **Keys**.
- Click **Add key**, then click **Create new key**.
- For **Key type**, select **JSON**.
- Click Create and the private key downloads to your computer.
- Click **Close**.
- Move the file to your working directory and rename it
service_account_key.json.
Step 2: Install the Google client library
Run the following command to install the library using pip:
pip install --upgrade google-api-python-client oauth2client
See the library's installation
page for different installation
options.
Step 3: Set up the sample
Create a file named quickstart.py in your working directory. Copy in the
following code and save the file.
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""Zero-touch enrollment quickstart sample.
This script forms the quickstart introduction to the zero-touch enrollemnt
customer API. To learn more, visit https://developer.google.com/zero-touch
"""
import sys
from apiclient import discovery
import httplib2
from oauth2client.service_account import ServiceAccountCredentials
# A single auth scope is used for the zero-touch enrollment customer API.
SCOPES = ['https://www.googleapis.com/auth/androidworkzerotouchemm']
SERVICE_ACCOUNT_KEY_FILE = 'service_account_key.json'
def get_credential():
"""Creates a Credential object with the correct OAuth2 authorization.
Uses the service account key stored in SERVICE_ACCOUNT_KEY_FILE.
Returns:
Credentials, the user's credential.
"""
credential = ServiceAccountCredentials.from_json_keyfile_name(
SERVICE_ACCOUNT_KEY_FILE, SCOPES)
if not credential or credential.invalid:
print('Unable to authenticate using service account key.')
sys.exit()
return credential
def get_service():
"""Creates a service endpoint for the zero-touch enrollment API.
Builds and returns an authorized API client service for v1 of the API. Use
the service endpoint to call the API methods.
Returns:
A service Resource object with methods for interacting with the service.
"""
http_auth = get_credential().authorize(httplib2.Http())
return discovery.build('androiddeviceprovisioning', 'v1', http=http_auth)
def main():
"""Runs the zero-touch enrollment quickstart app.
"""
# Create a zero-touch enrollment API service endpoint.
service = get_service()
# Get the customer's account. Because a customer might have more
# than one, limit the results to the first account found.
response = service.customers().list(pageSize=1).execute()
if 'customers' not in response:
# No accounts found for the user. Confirm the Google Account
# that authorizes the request can access the zero-touch portal.
print('No zero-touch enrollment account found.')
sys.exit()
customer_account = response['customers'][0]['name']
# Send an API request to list all the DPCs available using the customer
# account.
results = service.customers().dpcs().list(parent=customer_account).execute()
# Print out the details of each DPC.
for dpc in results['dpcs']:
# Some DPCs may not have a name, so replace with a marker.
if 'dpcName' in dpc:
dpcName = dpc['dpcName']
else:
dpcName = "-"
print('Name:{0} APK:{1}'.format(dpcName, dpc['packageName']))
if __name__ == '__main__':
main()
Step 4: Add your service account key
Copy the service_account_key.json you downloaded when you created your
service account into your working directory.
Step 5: Run the sample
Use your operating system's help to run the script in the file. On UNIX and Mac
computers, run the command below in your terminal:
python quickstart.py
Notes
- Avoid sharing your
service_account_key.json file with anyone. Be careful
not to include it in source code repositories. You can read more advice on
handling service account secrets.
Learn more
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-28 UTC.
[null,null,["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eThis quickstart guide helps you create a simple Python command-line app that interacts with the zero-touch enrollment customer API using a service account in about 10 minutes.\u003c/p\u003e\n"],["\u003cp\u003eYou will need a service account linked to your zero-touch enrollment customer account, Python 3.0 or greater, the pip package management tool, internet access, and a web browser to run this guide.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves enabling the zero-touch enrollment API, installing the Google client library, setting up the sample code, and adding your downloaded service account key file, along with running the sample file.\u003c/p\u003e\n"],["\u003cp\u003eThe sample code demonstrates how to authenticate using a service account key, create a service endpoint for the zero-touch enrollment API, retrieve customer account information, and list available device policy controllers (DPCs).\u003c/p\u003e\n"],["\u003cp\u003eIt is crucial to manage the \u003ccode\u003eservice_account_key.json\u003c/code\u003e file securely, avoiding sharing or including it in source code repositories, as it poses a security risk if mishandled.\u003c/p\u003e\n"]]],["First, enable the zero-touch enrollment API and create a service account, noting its ID. Assign the \"Service Account User\" role, generate a JSON key, download it, and rename it to `service_account_key.json`. Next, install the Google client library using `pip`. Create `quickstart.py`, copy the provided Python code, and save it. Place the renamed key file into your working directory. Finally, run the `quickstart.py` script via the command line.\n"],null,["# Python quickstart for customers using a service account\n\nFollow the steps in this quickstart guide, and in about 10 minutes you have\na simple Python command-line app that makes requests to the zero-touch\nenrollment customer API using a service account.\n\nPrerequisites\n-------------\n\nTo run this quickstart, you need:\n\n- A service account, that's linked to you zero-touch enrollment customer account. See [Get\n started](/zero-touch/guides/customer/service-accounts).\n- Python 3.0 or greater.\n- The [pip](https://pypi.python.org/pypi/pip) package management tool.\n- Access to the internet and a web browser.\n\nStep 1: Turn on the zero-touch enrollment API\n---------------------------------------------\n\n1. Use [this\n wizard](https://console.developers.google.com/start/api?id=androiddeviceprovisioning.googleapis.com) to create or select a project in the Google Developers Console and automatically turn on the API. Click **Continue** , then **Go to credentials**.\n2. Set **What data will you be accessing?** to *Application data*.\n3. Click **Next**. You should be prompted to create a service account.\n4. Give a descriptive name for **Service account name**.\n5. Note the **Service account ID** (it looks like an email address) because you'll use it later.\n6. Set **Role** to *Service Accounts \\\u003e Service Account User*.\n7. Click **Done** to finish creating the service account.\n8. Click the email address for the service account that you created.\n9. Click \\*\\*Keys\\*\\*.\n10. Click \\*\\*Add key\\*\\*, then click \\*\\*Create new key\\*\\*.\n11. For \\*\\*Key type\\*\\*, select \\*\\*JSON\\*\\*.\n12. Click **Create** and the private key downloads to your computer.\n13. Click \\*\\*Close\\*\\*.\n14. Move the file to your working directory and rename it `service_account_key.json`.\n\n| **Warning:** Service account keys can become a security risk if not managed carefully. For advice see [best practices for managing API keys](https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys).\n\nStep 2: Install the Google client library\n-----------------------------------------\n\nRun the following command to install the library using pip: \n\n pip install --upgrade google-api-python-client oauth2client\n\nSee the library's [installation\npage](/api-client-library/python/start/installation) for different installation\noptions.\n\nStep 3: Set up the sample\n-------------------------\n\nCreate a file named `quickstart.py` in your working directory. Copy in the\nfollowing code and save the file. \n\n```python\n#!/usr/bin/env python\n# -*- coding: utf-8 -*-\n\"\"\"Zero-touch enrollment quickstart sample.\n\nThis script forms the quickstart introduction to the zero-touch enrollemnt\ncustomer API. To learn more, visit https://developer.google.com/zero-touch\n\"\"\"\n\nimport sys\nfrom apiclient import discovery\nimport httplib2\nfrom oauth2client.service_account import ServiceAccountCredentials\n\n# A single auth scope is used for the zero-touch enrollment customer API.\nSCOPES = ['https://www.googleapis.com/auth/androidworkzerotouchemm']\nSERVICE_ACCOUNT_KEY_FILE = 'service_account_key.json'\n\n\ndef get_credential():\n \"\"\"Creates a Credential object with the correct OAuth2 authorization.\n\n Uses the service account key stored in SERVICE_ACCOUNT_KEY_FILE.\n\n Returns:\n Credentials, the user's credential.\n \"\"\"\n credential = ServiceAccountCredentials.from_json_keyfile_name(\n SERVICE_ACCOUNT_KEY_FILE, SCOPES)\n\n if not credential or credential.invalid:\n print('Unable to authenticate using service account key.')\n sys.exit()\n return credential\n\n\ndef get_service():\n \"\"\"Creates a service endpoint for the zero-touch enrollment API.\n\n Builds and returns an authorized API client service for v1 of the API. Use\n the service endpoint to call the API methods.\n\n Returns:\n A service Resource object with methods for interacting with the service.\n \"\"\"\n http_auth = get_credential().authorize(httplib2.Http())\n return discovery.build('androiddeviceprovisioning', 'v1', http=http_auth)\n\n\ndef main():\n \"\"\"Runs the zero-touch enrollment quickstart app.\n \"\"\"\n # Create a zero-touch enrollment API service endpoint.\n service = get_service()\n\n # Get the customer's account. Because a customer might have more\n # than one, limit the results to the first account found.\n response = service.customers().list(pageSize=1).execute()\n\n if 'customers' not in response:\n # No accounts found for the user. Confirm the Google Account\n # that authorizes the request can access the zero-touch portal.\n print('No zero-touch enrollment account found.')\n sys.exit()\n customer_account = response['customers'][0]['name']\n\n # Send an API request to list all the DPCs available using the customer\n # account.\n results = service.customers().dpcs().list(parent=customer_account).execute()\n\n # Print out the details of each DPC.\n for dpc in results['dpcs']:\n # Some DPCs may not have a name, so replace with a marker.\n if 'dpcName' in dpc:\n dpcName = dpc['dpcName']\n else:\n dpcName = \"-\"\n print('Name:{0} APK:{1}'.format(dpcName, dpc['packageName']))\n\n\nif __name__ == '__main__':\n main()\n```\n\nStep 4: Add your service account key\n------------------------------------\n\nCopy the `service_account_key.json` you downloaded when you created your\nservice account into your working directory.\n\nStep 5: Run the sample\n----------------------\n\nUse your operating system's help to run the script in the file. On UNIX and Mac\ncomputers, run the command below in your terminal: \n\n python quickstart.py\n\nNotes\n-----\n\n- Avoid sharing your `service_account_key.json` file with anyone. Be careful not to include it in source code repositories. You can read more advice on [handling service account secrets](https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys).\n\nLearn more\n----------\n\n- [Google Developers Console help documentation](/console/help/new)\n- [Google APIs Client for Python documentation](/api-client-library/python)\n- [pip User Guide](https://pip.pypa.io/en/stable/user_guide/)"]]