The Google Cloud SDK allows developers to use private keys to authenticate with service accounts, also known as robot accounts. This page describes how to create and use service accounts for the Google Cloud Platform.
Installing PyOpenSSL
The PyOpenSSL library allows the gcloud CLI to decode the private key files that identify a service account. Because it includes cryptographical routines, PyOpenSSL is not distributed with the Cloud SDK.
Installing PyOpenSSL with pip
If your system has pip
, the command-line interface to the
Python Package Index, installed, getting
PyOpenSSL should be as easy as running the following command.
pip install pyopenssl
Installing PyOpenSSL with apt-get
If your system is based on Debian, the apt-get
package manager should be able
to install PyOpenSSL with the following command.
sudo apt-get install python-openssl
Installing PyOpenSSL with yum
If your system is based on Redhat or CentOS, the yum
package manager should be
able to install PyOpenSSL with the following command.
sudo yum install pyOpenSSL
Installing PyOpenSSL on Windows
If you are on a Windows machine without pip
, a Windows installer can be found
here. You should choose the
appropriate version of Python, either 2.6 or 2.7. The Cloud SDK does not support Python3, so
if you wish to allow the gcloud CLI to use PyOpenSSL, the Python3 installer will not work.
CLOUDSDK_PYTHON_SITEPACKAGES=1
Once PyOpenSSL is installed, you will need to set the CLOUDSDK_PYTHON_SITEPACKAGES
environment variable to 1
. This environment variable setting tells the Cloud SDK
that it should look outside of its own google-cloud-sdk/lib
directory for libraries
to include. It is generally safe to set CLOUDSDK_PYTHON_SITEPACKAGES=1
, but if
something stops working you may need to undo it.
Creating a service account
Follow the instructions here to create a new service account, and save the file with the Generate new P12 key button on your disk.
This key file should be considered a secret, and you should take precautions to make sure that it is not accessible by untrusted parties. On unix-like systems, you can ensure that a file is not visible to other remotely connected users (other than a root user) by using the following command.
chmod 0600 YOUR_KEY_FILE.p12
Using your service account with the Cloud SDK
Service account credentials can be enabled by using
gcloud auth activate-service-account
.
gcloud auth activate-service-account -h Usage: gcloud auth activate-service-account --key-file KEY_FILE [optional flags] ACCOUNT Get credentials for a service account, using a .p12 file for the private key. If --project is set, set the default project. required flags: --key-file KEY_FILE Path to the service accounts private key. optional flags: --help Display detailed help. --password-file PASSWORD_FILE Path to a file containing the password for the service account private key. --prompt-for-password Prompt for the password for the service account private key. -h Print a summary help and exit. positional arguments: ACCOUNT The email for the service account.
To use your service account with the Cloud SDK, run
gcloud auth activate-service-account
and pass it the path to
your key file with the required --key-file
flag, and give it an
account as a positional argument.
The account you use should be the email for the service account listed in the Google Cloud Console, but it will not be verified; it only helps you remember which account you are using.
gcloud auth activate-service-account --key-file ~/mykeys/my_key_file.p12 my_service_account@developer.gserviceaccount.com Activated service account credentials for my_service_account@developer.gserviceaccount.com.
WARNING: The gcloud auth activate-service-account
will
make a copy of your private key and store it in
$HOME/.config/gcloud/legacy_credentials/my_service_account@developer.gserviceaccount.com/private_key.p12
.
It will be created with 0600
permissions (read/write for your
own user only), and everything stored in $HOME/.config/gcloud
should be considered a secret already. To reliably and confidently delete
any authentication data stored by the Cloud SDK, one only has to delete
$HOME/.config/gcloud
. Secure management of the key file
downloaded from the Cloud Console is left to the user. When in
doubt, revoke the key in the Cloud Console.
Now that the service account has been activated, it can be seen in the credentials list.
gcloud auth list Credentialed accounts: - my_service_account@developer.gserviceaccount.com (active) To set the active account, run gcloud config set account