The gcloud CLI allows developers to use private keys to authenticate with service accounts, also known as robot accounts. This page describes how to create and use p12 keys of service accounts for the Google Cloud.
The pyca/cryptography library
2.5) allows the gcloud CLI to decode the p12 format
key files that identify a service account. Because it includes cryptographical routines,
pyca/cryptography is not distributed with the gcloud CLI.
If your system has
pip, the command-line interface to the
Python Package Index, installed,
pyca/cryptography, run the following command.
Refer to Installation Instruction
for more information.
python -m pip install cryptography
Once pyca/cryptography is installed, you will need to set the
environment variable to
1. This environment variable setting tells the gcloud CLI
that it should look outside of its own
google-cloud-sdk/lib directory for libraries
to include. It is generally safe to set
CLOUDSDK_PYTHON_SITEPACKAGES=1, but if
something stops working you may need to undo it.
Creating a service account
To create a new service account and download a p12 key file, follow the steps in Creating service account keys.
This key file should be considered a secret, and you should take precautions to make sure that it is not accessible by untrusted parties. On unix-like systems, you can ensure that a file is not visible to other remotely connected users (other than a root user) by using the following command.
chmod 0600 YOUR_KEY_FILE.p12
Using your service account with the gcloud CLI
Service account credentials can be enabled by using
gcloud auth activate-service-account.
To use your service account with the gcloud CLI, run
gcloud auth activate-service-account and pass it the path to
your key file with the required
--key-file flag, and give it an
account as a positional argument.
The account you use should be the email for the service account listed in the Google Cloud console, but it will not be verified; it only helps you remember which account you are using.
gcloud auth activate-service-account --key-file ~/mykeys/my_key_file.p12 firstname.lastname@example.org Activated service account credentials for email@example.com.
gcloud auth activate-service-account will
make a copy of your private key and store it in
It will be created with
0600 permissions (read/write for your
own user only), and everything stored in
should be considered a secret already. To reliably and confidently delete
any authentication data stored by the gcloud CLI, one only has to delete
$HOME/.config/gcloud. Secure management of the key file
downloaded from the Google Cloud console is left to the user. When in
doubt, revoke the key in the Google Cloud console.
Now that the service account has been activated, it can be seen in the credentials list.
gcloud auth list Credentialed Accounts ACTIVE ACCOUNT * firstname.lastname@example.org To set the active account, run: $ gcloud config set account email@example.com