Creating a GCP Service Account Key

Overview

A service account key is a credential that allows applications to authenticate with Google Cloud Platform (GCP) services. This document outlines the steps to create and download a service account key in JSON format.

Prerequisites

• A Google Cloud Platform account
• Appropriate permissions to create service account keys

Steps to Create a Service Account Key

1. Log in to your GCP account

   • Navigate to the Google Cloud Console (opens in a new tab)
   • Sign in with your credentials

2. Navigate to Service Accounts

   • In the left sidebar, go to "IAM & Admin" → "Service Accounts"

3. Select or Create a Service Account

   • To use an existing service account: Click on the service account name
   • To create a new service account: Click "Create Service Account" and follow the prompts

4. Create a New Key

   • Click on the "Keys" tab
   • Click on "Add Key" → "Create new key"

5. Select Key Type

   • Select "JSON" from the radio button options
   • Click on the "Create" button

6. Download the Key File

   • The service account key file (service-account.json) will be automatically downloaded to your computer
   • Store this file securely as it grants access to your GCP resources

Security Best Practices

• Store the key file securely and restrict access to it
• Consider using environment variables or secret management systems instead of storing the key directly in your codebase
• Rotate keys periodically for enhanced security
• Assign the minimum necessary permissions to the service account

Using the Service Account Key

The downloaded JSON key file can be used in various ways:

{
  "type": "service_account",
  "project_id": "your-project-id",
  "private_key_id": "key-id",
  "private_key": "-----BEGIN PRIVATE KEY-----\nkey-content\n-----END PRIVATE KEY-----\n",
  "client_email": "service-account-name@your-project-id.iam.gserviceaccount.com",
  "client_id": "client-id",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-name%40your-project-id.iam.gserviceaccount.com"
}

Environment Variable

export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account.json"

Direct Reference in Code

from google.oauth2 import service_account
credentials = service_account.Credentials.from_service_account_file(
    '/path/to/service-account.json')

Related Documentation

• GCP Service Accounts Documentation (opens in a new tab)
• Authentication Best Practices (opens in a new tab)