This topic shows how to quickly authenticate to a Google Cloud API for testing purposes. It does not show how to authenticate to non-Google Cloud APIs, such as the Google Maps Platform APIs. For information about API keys for Google Maps Platform APIs and SDKs, see the Google Maps documentation.
Before proceeding, we recommend that all Google Cloud developers first read the Authentication overview topic to understand how authentication works in Google Cloud, including common scenarios and strategies. Additionally, before deploying an application to a production environment, ensure that you've read Authenticating as a service account.
Creating a service account
Create a service account:
In the console, go to the Create service account page.
In the Service account name field, enter a name. The console fills
in the Service account ID field based on this name.
In the Service account description field, enter a description. For example,
To provide access to your project, grant the following role(s) to your
service account: Project > Owner.
In the Select a role list, select a role.
For additional roles, click
Click Done to finish creating the service account.
Do not close your browser window. You will use it in the next step.
Create a service account key:
Console
Service account for quickstart
.
Set up authentication:
Create the service account:
Replace
Grant roles to the service account. Run the following command once for each of the
following IAM roles:
Replace the following:
Generate the key file:
Replace the following:
gcloud
gcloud iam service-accounts create NAME
NAME
with a name for the service account.
roles/owner
:
gcloud projects add-iam-policy-binding PROJECT_ID --member="serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com" --role=ROLE
SERVICE_ACCOUNT_NAME
: the name of the service accountPROJECT_ID
: the project ID where you created the service accountROLE
: the role to grantgcloud iam service-accounts keys create FILE_NAME.json --iam-account=SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com
FILE_NAME
: a name for the key fileSERVICE_ACCOUNT_NAME
: the name of the service accountPROJECT_ID
: the project ID where you created the service account
Setting the environment variable
To use service accounts with the Google Cloud CLI, you need to set an environment variable where your code runs.
Provide authentication credentials to your application code by setting the
environment variable GOOGLE_APPLICATION_CREDENTIALS
. This
variable applies only to your current shell session. If you want the variable
to apply to future shell sessions, set the variable in your shell startup file,
for example in the ~/.bashrc
or ~/.profile
file.
Linux or macOS
export GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH
"
Replace KEY_PATH
with the path of the JSON file that contains your service account key.
For example:
export GOOGLE_APPLICATION_CREDENTIALS="/home/user/Downloads/service-account-file.json"
Windows
For PowerShell:
$env:GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH
"
Replace KEY_PATH
with the path of the JSON file that contains your service account key.
For example:
$env:GOOGLE_APPLICATION_CREDENTIALS="C:\Users\username\Downloads\service-account-file.json"
For command prompt:
set GOOGLE_APPLICATION_CREDENTIALS=KEY_PATH
Replace KEY_PATH
with the path of the JSON file that contains your service account key.
Setting the environment variable allows you to provide credentials separately from your application, without making changes to application code when you deploy. Alternately, you can explicitly specify the path to the service account key file in your code. For more information, see Authenticating as a service account.
Verifying authentication
After setting the environment variable, you don't need to explicitly specify your credentials in code when using a Google Cloud client library. The client library can determine your credentials implicitly. For this reason, you can verify that authentication works by setting the environment variable, and then running client library code, such as the following example. If the request succeeds, authentication works.
C#
Go
Java
Node.js
PHP
Python
Ruby
What's next
- Learn about authenticating to a Google Cloud API
- Learn about authenticating as an end user
- Learn about authenticating as a service account
- Learn about using API keys
Try it for yourself
If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
Get started for free