The gcloud CLI and p12 service account keys

Stay organized with collections Save and categorize content based on your preferences.

The gcloud CLI allows developers to use private keys to authenticate with service accounts, also known as robot accounts. This page describes how to create and use p12 keys of service accounts for the Google Cloud.

Install pyca/cryptography

The pyca/cryptography library (version >= 2.5) allows the gcloud CLI to decode the p12 format key files that identify a service account. Because it includes cryptographical routines, pyca/cryptography is not distributed with the gcloud CLI.

If your system has pip, the command-line interface to the Python Package Index, installed, to install pyca/cryptography, run the following command. Refer to Installation Instruction for more information.

python -m pip install cryptography

CLOUDSDK_PYTHON_SITEPACKAGES=1

Once pyca/cryptography is installed, you will need to set the CLOUDSDK_PYTHON_SITEPACKAGES environment variable to 1. This environment variable setting tells the gcloud CLI that it should look outside of its own google-cloud-sdk/lib directory for libraries to include. It is generally safe to set CLOUDSDK_PYTHON_SITEPACKAGES=1, but if something stops working you may need to undo it.

Creating a service account

To create a new service account and download a p12 key file, follow the steps in Creating service account keys.

This key file should be considered a secret, and you should take precautions to make sure that it is not accessible by untrusted parties. On unix-like systems, you can ensure that a file is not visible to other remotely connected users (other than a root user) by using the following command.

chmod 0600 YOUR_KEY_FILE.p12

Using your service account with the gcloud CLI

Service account credentials can be enabled by using gcloud auth activate-service-account.

To use your service account with the gcloud CLI, run gcloud auth activate-service-account and pass it the path to your key file with the required --key-file flag, and give it an account as a positional argument.

The account you use should be the email for the service account listed in the Google Cloud console, but it will not be verified; it only helps you remember which account you are using.

gcloud auth activate-service-account --key-file ~/mykeys/my_key_file.p12 my_service_account@developer.gserviceaccount.com
Activated service account credentials for my_service_account@developer.gserviceaccount.com.

WARNING: The gcloud auth activate-service-account will make a copy of your private key and store it in $HOME/.config/gcloud/legacy_credentials/my_service_account@developer.gserviceaccount.com/private_key.p12 and $HOME/.config/gcloud/credentials.db. It will be created with 0600 permissions (read/write for your own user only), and everything stored in $HOME/.config/gcloud should be considered a secret already. To reliably and confidently delete any authentication data stored by the gcloud CLI, one only has to delete $HOME/.config/gcloud. Secure management of the key file downloaded from the Google Cloud console is left to the user. When in doubt, revoke the key in the Google Cloud console.

Now that the service account has been activated, it can be seen in the credentials list.

gcloud auth list
        Credentialed Accounts
ACTIVE    ACCOUNT
*         my_service_account@developer.gserviceaccount.com

To set the active account, run:
    $ gcloud config set account my_service_account@developer.gserviceaccount.com

Back to top