This article is written for Windows, but the same principles apply to Linux and Mac.
A service account is a special Google account that is used with applications or services, such as Google Compute Engine. Service account credentials are stored in a file. There are two file formats, Json and P12.
The JSON format is the recommended format for service account credential files. This format consists of multiple JSON keys, with the private key being the critical value that is used to sign API requests. This file can be viewed in any text editor.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
{ "type": "service_account", "project_id": "development-123456", "private_key_id": "01234567890abcdefghic46fb305abcdefghijkl", "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBg <removed content for security> mUTxqeO6EH4qnCsaOWCZw==\n-----END PRIVATE KEY-----\n", "client_email": "test100@development-123456.iam.gserviceaccount.com", "client_id": "111012345678912345678", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/test100%40development-123456.iam.gserviceaccount.com" } |
The P12 format, otherwise known as PKCS #12 or PFX, is a binary format for storing a certificate, intermediate certificates, and the private key in an encrypted file. Common file suffixes are .p12 or .pfx. The following openssl command will display a P12 file. Note the option -nodes. This means No DES, not NODES. Use this option so that you can see the unencrypted private key. In this example the password is notasecret.
|
1 |
openssl pkcs12 -info -nodes -in test.p12 -passin pass:notasecret |
Now let’s create a service account using the gcloud CLI. First, let’s set some environment variables to reduce mistakes. Modify with your Google Project ID.
|
1 2 3 4 5 |
set PROJECT=development-123456 set USER=test100 set FILE=test100.json set MEMBER=%USER%@%PROJECT%.iam.gserviceaccount.com |
Notice the MEMBER variable. The format for service account credentials is always USER@PROJECT suffixed with the domain iam.gserviceaccount.com.
|
1 |
test100@development-123456.iam.gserviceaccount.com |
This command will display the current Project ID:
|
1 |
gcloud config list project --format=json |
|
1 2 3 4 5 |
{ "core": { "project": "development-123456" } } |
To get fancy using jq:
|
1 |
gcloud config list project --format=json | jq -r ".core.project" |
Outputs:
|
1 |
development-123456 |
Using jq makes it easy to set environment variables to chain commands together.
Create a service account using the previous environment variables:
|
1 2 3 4 5 6 7 |
set PROJECT=development-123456 set USER=test100 set FILE=test100.json set MEMBER=%USER%@%PROJECT%.iam.gserviceaccount.com gcloud iam service-accounts create %USER% |
Command output:
|
1 |
Created service account [test100]. |
The next step is to authorize the service account with permissions. In this example, we authorize the role viewer:
|
1 2 3 |
gcloud projects add-iam-policy-binding %PROJECT% ^ --member "serviceAccount:%MEMBER%" ^ --role "roles/viewer" |
To authorize a service account, you apply the role to the project and not to the service account itself. IAM policies applied to the service account manage who can use the service account and not the service account permissions. Remember to apply permissions for a service account to the project.
To quote Google:
In addition to being an identity, a service account is a resource that has IAM policies attached to it. These policies determine who can use the service account.
For instance, Alice can have the editor role on a service account and Bob can have the viewer role on a service account. This is just like granting roles for any other GCP resource.
Now that we have created and authorized this service account, create and download a service account credentials file to be used later in our software.
|
1 |
gcloud iam service-accounts keys create %FILE% --iam-account %MEMBER% |
Command output:
|
1 |
created key [db0123456789abcdefghijkl2253e56012345678] of type [json] as [test100.json] for [test100@development-123456.iam.gserviceaccount.com] |
To download a P12 format add the command line option:
|
1 |
--key-file-type=p12 |
gcloud iam service-accounts create
gcloud projects add-iam-policy-binding
gcloud iam service-accounts keys create
I design software for enterprise-class systems and data centers. My background is 30+ years in storage (SCSI, FC, iSCSI, disk arrays, imaging) virtualization. 20+ years in identity, security, and forensics.
For the past 14+ years, I have been working in the cloud (AWS, Azure, Google, Alibaba, IBM, Oracle) designing hybrid and multi-cloud software solutions. I am an MVP/GDE with several.
December 17, 2019 at 3:38 AM
There’s a request for encrypting gcloud credentials: https://issuetracker.google.com/issues/123572048