Your cart is empty.
# 1. Set restrictive permissions on key file chmod 600 service-account-key.json 2. Use Workload Identity Federation when possible (instead of keys) https://cloud.google.com/iam/docs/workload-identity-federation 3. Rotate keys regularly gcloud iam service-accounts keys list --iam-account=$SA_EMAIL gcloud iam service-accounts keys delete KEY_ID --iam-account=$SA_EMAIL 4. Audit key usage gcloud logging read "protoPayload.methodName="google.iam.admin.v1.CreateServiceAccountKey"" 5. Use temporary credentials gcloud auth print-access-token --impersonate-service-account=$SA_EMAIL 9. Troubleshooting Common Issues & Solutions | Issue | Solution | |-------|----------| | Permission denied | Check IAM roles: gcloud projects get-iam-policy PROJECT_ID | | Invalid JSON | Validate key: jq . key.json | | Token expired | Re-authenticate: gcloud auth revoke && gcloud auth activate... | | Project not set | Set project: gcloud config set project PROJECT_ID | | Quota exceeded | Check quota: gcloud services quota list | Debug Commands # Enable debug logging gcloud auth activate-service-account --key-file=key.json --log-http Check environment gcloud info --run-diagnostics List all active accounts gcloud auth list --filter="status=ACTIVE" 10. Cleanup & Logout # Revoke service account access gcloud auth revoke $SA_EMAIL Remove all credentials gcloud auth revoke --all Clear application default credentials rm -f ~/.config/gcloud/application_default_credentials.json This feature provides a complete, production-ready implementation for authenticating with service accounts in Google Cloud, suitable for automation, CI/CD, and secure deployments.
# Display current configuration if $VERBOSE; then echo "" log_info "Current configuration:" gcloud config list echo "" log_info "Auth info:" gcloud auth list fi else log_error "Authentication failed" exit 1 fi if $VERBOSE; then log_info "Testing access..." if gcloud projects describe "$(gcloud config get-value project 2>/dev/null)" &>/dev/null; then log_info "✓ Access test passed" else log_warn "Access test failed - check IAM permissions" fi fi 4. Usage Examples Basic authentication ./gcloud-sa-login.sh --key-file ./my-key.json With project and verbose output ./gcloud-sa-login.sh -k ./my-key.json -p my-project -v Using jq to extract email # One-liner gcloud auth activate-service-account \ $(jq -r .client_email key.json) \ --key-file=key.json 5. Verification Commands # Check active account gcloud auth list Get current account email gcloud config get-value account Test authentication with API call gcloud projects list Get access token (useful for debugging) gcloud auth print-access-token Get identity token gcloud auth print-identity-token Check service account permissions gcloud iam service-accounts get-iam-policy $SA_EMAIL 6. Docker Integration FROM google/cloud-sdk:latest Copy service account key COPY service-account-key.json /tmp/gcloud-key.json Authenticate RUN gcloud auth activate-service-account $(jq -r .client_email /tmp/gcloud-key.json) --key-file=/tmp/gcloud-key.json --project=my-project Clean up key for security RUN rm /tmp/gcloud-key.json Set default project ENV CLOUDSDK_CORE_PROJECT=my-project gcloud login with service account
if [[ ! -f "$KEY_FILE" ]]; then log_error "Key file not found: $KEY_FILE" exit 1 fi if ! jq empty "$KEY_FILE" 2>/dev/null; then log_error "Invalid JSON in key file: $KEY_FILE" exit 1 fi Extract service account email SA_EMAIL=$(jq -r .client_email "$KEY_FILE") if [[ -z "$SA_EMAIL" || "$SA_EMAIL" == "null" ]]; then log_error "Invalid service account key: missing client_email" exit 1 fi Rotate keys regularly gcloud iam service-accounts keys list