In this article, we will download and install the Google gcloud CLI. Then we will set up gcloud with Google Service Account credentials. This article is for Windows-based systems but the same principles apply to Linux and Mac systems.
Step 1 – Download gcloud
Step 2 – Launch the installer
At the Completing the Google Cloud SDK Setup Wizard, deselect Run gcloud init to configure the Cloud SDK. The reason is that we only want to use Service Account credentials.
Step 3 – Access a Google public bucket
|
1 |
gsutil ls gs://gcp-public-data-landsat |
This command should succeed and provide a listing of the files in this bucket. This command verifies that the CLI is installed. We have not set up credentials yet.
Step 4 – Access one of your own private buckets
This step will verify that you have no credentials. Change the bucket name to a private bucket that you own.
|
1 |
gsutil ls gs://mybucket |
This command should fail. If it succeeds you have a public bucket that anyone can access.
Step 5 – Create Google Service Account credentials.
You can skip this step if you already have credentials to use.
In this example, we will only grant Storage Admin to these credentials.
- Go to
IAM & admin->Service accounts - Click
CREATE SERVICE ACCOUNT - Enter a
Service account nameandService account description - Click
CREATE - In the next screen
Service account permissions, select a role. - Select
Storage->Storage Admin - Click
CONTINUE - Click
Create key - Check the
JSONradio button for theKey type - Save the json file to your local computer.
Make note of the email address that Google Cloud created for these credentials.
Step 6- Configure gcloud with the Google Service Account credentials
In this example, the email address is: test@development-123456.iam.gserviceaccount.com
The credentials file is: test_google_account.json
Modify these items to what you created in step 5.
|
1 |
gcloud auth activate-service-account test@development-123456.iam.gserviceaccount.com --key-file=test_google_account.json |
Step 7 – Verify that the credentials work
Change the bucket name to a private bucket that you own.
|
1 |
gsutil ls gs://mybucket |
This command should now succeed.
You have now successfully configured gcloud to work with Google Service Account credentials.
There are two commands that generate access tokens:
- gcloud auth print-access-token
- gcloud auth application-default print-access-token
Important Detail
Configuring gcloud with a service account sets up the tool’s credentials and does not create credentials for Application Default Credentials (ADC).
More information
- gcloud auth print-access-token
- gcloud auth application-default print-access-token
- gcloud auth activate-service-account
In future articles, I will show you how to use these same credentials when programming, for example, in C++, Python, etc. Then we will cover in detail what Google Service Account credentials are and how to programmatically generate Access Tokens from these credentials.
I design software for enterprise-class systems and data centers. My background is 30+ years in storage (SCSI, FC, iSCSI, disk arrays, imaging) virtualization. 20+ years in identity, security, and forensics.
For the past 14+ years, I have been working in the cloud (AWS, Azure, Google, Alibaba, IBM, Oracle) designing hybrid and multi-cloud software solutions. I am an MVP/GDE with several.
January 22, 2021 at 8:36 PM
Thank you for this post. I continue to be astonished at the lack of simple cookbook HOWTOs for gcloud. It’s as if the docs are written as reminders for people who already pretty much know what to do.
Cheers!