The Google Cloud SDK and PyOpenSSL

The Google Cloud SDK allows developers to use private keys to authenticate with service accounts, also known as robot accounts. This page describes how to create and use service accounts for the Google Cloud Platform.

Installing PyOpenSSL

The PyOpenSSL library allows the gcloud CLI to decode the private key files that identify a service account. Because it includes cryptographical routines, PyOpenSSL is not distributed with the Cloud SDK.

Installing PyOpenSSL with pip

If your system has pip, the command-line interface to the Python Package Index, installed, getting PyOpenSSL should be as easy as running the following command.

pip install pyopenssl

Installing PyOpenSSL with apt-get

If your system is based on Debian, the apt-get package manager should be able to install PyOpenSSL with the following command.

sudo apt-get install python-openssl

Installing PyOpenSSL with yum

If your system is based on Redhat or CentOS, the yum package manager should be able to install PyOpenSSL with the following command.

sudo yum install pyOpenSSL

Installing PyOpenSSL on Windows

If you are on a Windows machine without pip, a Windows installer can be found here. You should choose the appropriate version of Python, either 2.6 or 2.7. The Cloud SDK does not support Python3, so if you wish to allow the gcloud CLI to use PyOpenSSL, the Python3 installer will not work.


Once PyOpenSSL is installed, you will need to set the CLOUDSDK_PYTHON_SITEPACKAGES environment variable to 1. This environment variable setting tells the Cloud SDK that it should look outside of its own google-cloud-sdk/lib directory for libraries to include. It is generally safe to set CLOUDSDK_PYTHON_SITEPACKAGES=1, but if something stops working you may need to undo it.

Creating a service account

Follow the instructions here to create a new service account, and save the file with the Generate new P12 key button on your disk.

This key file should be considered a secret, and you should take precautions to make sure that it is not accessible by untrusted parties. On unix-like systems, you can ensure that a file is not visible to other remotely connected users (other than a root user) by using the following command.

chmod 0600 YOUR_KEY_FILE.p12

Using your service account with the Cloud SDK

Service account credentials can be enabled by using gcloud auth activate-service-account.

gcloud auth activate-service-account -h
Usage: gcloud auth activate-service-account --key-file KEY_FILE [optional flags] ACCOUNT

Get credentials for a service account, using a .p12 file for the private key. If
--project is set, set the default project.

required flags:
  --key-file KEY_FILE    Path to the service accounts private key.

optional flags:
  --help                 Display detailed help.
  --password-file PASSWORD_FILE
                         Path to a file containing the password for the service
                         account private key.
  --prompt-for-password  Prompt for the password for the service account private
  -h                     Print a summary help and exit.

positional arguments:
  ACCOUNT                The email for the service account.

To use your service account with the Cloud SDK, run gcloud auth activate-service-account and pass it the path to your key file with the required --key-file flag, and give it an account as a positional argument.

The account you use should be the email for the service account listed in the Google Cloud Console, but it will not be verified; it only helps you remember which account you are using.

gcloud auth activate-service-account --key-file ~/mykeys/my_key_file.p12
Activated service account credentials for

WARNING: The gcloud auth activate-service-account will make a copy of your private key and store it in $HOME/.config/gcloud/legacy_credentials/ It will be created with 0600 permissions (read/write for your own user only), and everything stored in $HOME/.config/gcloud should be considered a secret already. To reliably and confidently delete any authentication data stored by the Cloud SDK, one only has to delete $HOME/.config/gcloud. Secure management of the key file downloaded from the Cloud Console is left to the user. When in doubt, revoke the key in the Cloud Console.

Now that the service account has been activated, it can be seen in the credentials list.

gcloud auth list
Credentialed accounts:
 - (active)
To set the active account, run
 gcloud config set account 

Back to top