The following example shows a helper function to update the approval state
using the Python HTTP library:
"""Example script to use the approve method of the Devices API."""importpprintfromsix.movesimporturllibimportgoogle.auth.transport.requestsfromgoogle.oauth2importservice_accountSCOPES=['https://www.googleapis.com/auth/cloud-identity.devices']BASE_URL='https://cloudidentity.googleapis.com/v1/'# Change this to the location of the service account keySA_FILE=''# Enter the administrator to call as here.ADMIN_EMAIL=''# Enter the Device User Resource Name. You can get this from the value# of the name field in the results of a List method callRESOURCE_NAME=''ifnotSA_FILE:print('Please specify the location of the service account key file')ifnotADMIN_EMAIL:print('Please specify the email of the administrator to call as')ifnotRESOURCE_NAME:print('Please specify the Device User Resource Name to be approved')ifnotSA_FILEornotADMIN_EMAILornotRESOURCE_NAME:exit(-1)defcreate_delegated_credentials(user_email):credentials=service_account.Credentials.from_service_account_file(SA_FILE,scopes=['https://www.googleapis.com/auth/cloud-identity.devices'])delegated_credentials=credentials.with_subject(user_email)returndelegated_credentials####################################################################### AUTHENTICATE the service account and retrieve an oauth2 access tokenrequest=google.auth.transport.requests.Request()dc=create_delegated_credentials(ADMIN_EMAIL)dc.refresh(request)print('Access token: '+dc.token+'\n')################################ Approve the DeviceUserheader={'authorization':'Bearer '+dc.token,'Content-Type':'application/json'}action_url=BASE_URL+RESOURCE_NAME+':approve'request=urllib.request.Request(action_url,None,headers=header)request.get_method=lambda:'POST'try:approve_response=urllib.request.urlopen(request)excepturllib.error.HTTPErrorase:ife.code==400:print('The request was invalid. Perhaps the device is already approved?')else:print('Unknown error occurred')exit(-1)pp=pprint.PrettyPrinter(indent=4)pp.pprint(approve_response)
Note that RESOURCE_NAME would be set to the name of the resource retrieved
from a device resource.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis page details the process of updating the approval state for a device user.\u003c/p\u003e\n"],["\u003cp\u003eThe REST API method \u003ccode\u003edevices.deviceUsers.approve()\u003c/code\u003e is used to update the approval state, requiring a device name and customer object.\u003c/p\u003e\n"],["\u003cp\u003eA Python HTTP example is provided, demonstrating a helper function to update the approval state.\u003c/p\u003e\n"],["\u003cp\u003eThe Python example utilizes a service account key and an administrator's email to generate delegated credentials for authentication.\u003c/p\u003e\n"],["\u003cp\u003eBefore running the example code you must specify the service account key location, the email of the admin to call as, and the Device User Resource Name.\u003c/p\u003e\n"]]],[],null,["# Approving a device\n==================\n\nThe following examples shows you how to update the approval state for a user. \n\n### REST\n\nTo update the approval state, call\n[`devices.deviceUsers.approve()`](/identity/docs/reference/rest/v1/devices.deviceUsers/approve)\nwith a device name and customer object.\n\n### Python HTTP\n\nThe following example shows a helper function to update the approval state\nusing the Python HTTP library: \n\n \"\"\"Example script to use the approve method of the Devices API.\"\"\"\n import pprint\n\n from six.moves import urllib\n\n import google.auth.transport.requests\n from google.oauth2 import service_account\n\n SCOPES = ['https://www.googleapis.com/auth/cloud-identity.devices']\n BASE_URL = 'https://cloudidentity.googleapis.com/v1/'\n\n # Change this to the location of the service account key\n SA_FILE = ''\n\n # Enter the administrator to call as here.\n ADMIN_EMAIL = ''\n\n # Enter the Device User Resource Name. You can get this from the value\n # of the name field in the results of a List method call\n RESOURCE_NAME = ''\n\n if not SA_FILE:\n print('Please specify the location of the service account key file')\n if not ADMIN_EMAIL:\n print('Please specify the email of the administrator to call as')\n if not RESOURCE_NAME:\n print('Please specify the Device User Resource Name to be approved')\n\n if not SA_FILE or not ADMIN_EMAIL or not RESOURCE_NAME:\n exit(-1)\n\n def create_delegated_credentials(user_email):\n credentials = service_account.Credentials.from_service_account_file(\n SA_FILE,\n scopes=['https://www.googleapis.com/auth/cloud-identity.devices'])\n\n delegated_credentials = credentials.with_subject(user_email)\n\n return delegated_credentials\n\n ######################################################################\n # AUTHENTICATE the service account and retrieve an oauth2 access token\n\n request = google.auth.transport.requests.Request()\n dc = create_delegated_credentials(ADMIN_EMAIL)\n dc.refresh(request)\n print('Access token: ' + dc.token + '\\n')\n\n ###############################\n # Approve the DeviceUser\n header = {\n 'authorization': 'Bearer ' + dc.token,\n 'Content-Type': 'application/json'\n }\n\n action_url = BASE_URL + RESOURCE_NAME + ':approve'\n request = urllib.request.Request(action_url, None, headers=header)\n request.get_method = lambda: 'POST'\n\n try:\n approve_response = urllib.request.urlopen(request)\n except urllib.error.HTTPError as e:\n if e.code == 400:\n print('The request was invalid. Perhaps the device is already approved?')\n else:\n print('Unknown error occurred')\n exit(-1)\n\n pp = pprint.PrettyPrinter(indent=4)\n pp.pprint(approve_response)\n\nNote that `RESOURCE_NAME` would be set to the name of the resource retrieved\nfrom a device resource."]]
