To access Google Cloud products and services programmatically, you use Cloud APIs. These APIs expose a simple JSON REST interface. The recommended way to access the Cloud APIs is to use the Cloud Client Libraries.
Cloud Code makes it easy to add the Cloud Client Libraries for the Cloud APIs and language you're using to your project. In the same view, you can search for samples for each API and easily incorporate samples into your application.
To explore all available Google Cloud APIs:
Click 
Cloud Code and then expand the Cloud APIs
section.
The Cloud APIs view groups Cloud APIs by category.
To view details of an API, click the API name. Details such as the service name, status, installation instructions for client libraries, documentation, and code samples are displayed.
In addition to exploring and enabling Cloud APIs using Cloud Code, you can add a language-specific client library to your project.
To install a client library, follow the instructions on the API details page for your language.
You can search for and use code samples for each API in the API browser.
Click Cloud Code and then expand the Cloud APIs
section.
To open the detail view, click the name of an API.
To view code samples for the API, click Code Samples.
To filter the list of samples, type text to search for or choose a programming language from the Language list.
To view a sample, click the name of the sample. There are also options to copy the sample to your clipboard or view the sample in GitHub.
After you've enabled the required APIs and added the necessary client libraries, you need to configure your application for it to be successfully authenticated. Your configuration depends on your type of development and the platform you're running on.
After you complete the authentication steps, your application can authenticate and is ready to be deployed.
The Cloud Shell VM instance uses the Compute Engine default service account (the service account Google Kubernetes Engine uses by default) as its default service account. This means that when developing with Cloud Code on Cloud Shell, you don't need to set up any additional configuration when working with client libraries. Your application is authenticated and ready to run locally.
Some APIs, such as the Cloud Translation API, require a service account with appropriate permissions to authenticate your requests. For more information, see Creating and managing service accounts.
To open a terminal, click Terminal > New Terminal.
Create a service account to authenticate your API requests:
gcloud iam service-accounts create \ SERVICE_ACCOUNT_ID \ --project PROJECT_ID
Replace the following values:
SERVICE_ACCOUNT_ID: the service account IDPROJECT_ID: the project IDTo find these IDs, in Google Cloud, click the Navigation menu at the top-left of the screen, hold your pointer over IAM & Admin and click Service Accounts.
The Email column shows the unique
SERVICE_ACCOUNT_ID and
PROJECT_ID for each of your service accounts in the
following format:
SERVICE_ACCOUNT_ID@PROJECT_ID.iam.gserviceaccount.com
For example: A service account email address of
my-service-account@my-project.iam.gserviceaccount.com has the following
values:
SERVICE_ACCOUNT_ID: my-service-accountPROJECT_ID: my-projectGrant your service account the appropriate role. The following sample command grants the Cloud Translation API User role. To determine the role to grant, see the documentation for the Cloud API you're using.
gcloud projects \ add-iam-policy-binding \ PROJECT_ID \ --member='serviceAccount:SERVICE_ACCOUNT_ID@PROJECT_ID.iam.gserviceaccount.com' \ --role='roles/cloudtranslate.user'
Create a service account key:
gcloud iam service-accounts keys \ create key.json --iam-account \ SERVICE_ACCOUNT_ID@PROJECT_ID.iam.gserviceaccount.com
Set the key as your default credentials:
export \
GOOGLE_APPLICATION_CREDENTIALS=key.json
Optional: To permit users to
impersonate the service account,
run the gcloud iam service-accounts add-iam-policy-binding
command to grant a user the Service Account User role
(roles/iam.serviceAccountUser) on the service account:
gcloud iam service-accounts add-iam-policy-binding \ SERVICE_ACCOUNT_ID@PROJECT_ID.iam.gserviceaccount.com \ --member="user:USER_EMAIL" \ --role="roles/iam.serviceAccountUser"
Replace the following values:
USER_EMAIL: the email address for the user.spec.serviceAccountName field in your
Kubernetes Deployment YAML file. If you're working on an app created from a
Cloud Code sample application, this file is located under the
kubernetes-manifests folder.
Depending on the scope of your project, you can choose how you authenticate Google Cloud services on GKE:
If you're developing remotely, using a service account for authentication, and your application uses secrets, you need to complete a few more steps in addition to the remote development instructions. These steps assign your Google service account the role required to access a particular Secret Manager secret:
Click Cloud Code and then expand the
Secret Manager section.
Right-click the secret and select Edit Permissions in Cloud console. This launches the Secret Manager configuration page for that secret in your web browser.
In Google Cloud console, click Permissions and then click Add.
In the New principals field, enter the name of your service account.
In the Select a role field, choose the Secret Manager Secret Accessor role.
Click Save.
Your service account now has permission to access this particular secret.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-06-11 UTC.