How to create and authenticate a service account with gcloud CLI
Service accounts are specialized Google accounts designed for authorizing virtual machines (VMs) or cloud resources, providing secure connections to the Google Cloud services. They enhance the security of gcloud login accounts, offering an additional layer of authentication for exclusive access to cloud resources. Unlike regular user accounts, service accounts belong to applications or VMs, allowing seamless interaction with Google APIs without direct user involvement.
Example
To illustrate, let’s consider the Compute Engine VM operating system as a service account. This service account can be granted specific permissions to access the necessary resources. In this setup, the service account serves as the representative identity for the service, and its permissions dictate which resources the service can access. Each service account possesses a unique email address for identification purposes.
How to create a service account
To create a service account on the Google Cloud Platform (GCP), it is necessary to have a valid email account with billing enabled to sign into the gcloud CLI. Service accounts can be created to authenticate and access multiple services, VMs, or APIs. The following steps will illustrate how to create a service account associated with a project. This will enable the service account to authenticate and access all the resources deployed inside the project with due permissions.
Steps
The following steps are required to create a service account:
CLI authentication: The first and foremost step before creating any resources on GCP is to sign in to the CLI using the email address. We use the following commands to log in to the gcloud CLI:
gcloud auth login --no-launch-browser
Project creation: Everything in gcloud is grouped as projects, and the service accounts assign the roles for resource creation and access. An existing project can also be used to create a service account or a new project can be created. It is important to note that the billing should be enabled on the project before creating the service account. We can use the following code to create a project:
# Provide a new project IDexport PROJECT_ID=<Project ID>gcloud projects create $PROJECT_ID# Config set the projectgcloud config set project $PROJECT_ID# List all of the projectsgcloud projects list
Create service account: To create a service account, the CLI command needs the parameters such as
Project_ID,service_account_name, anddisplay_name. We can use the following code to create the service account:
# Replace the place_holders with labels of your choicegcloud iam service-accounts \create <service_account_name> \--project $PROJECT_ID \--display-name <display_name>
Service account authentication: To control the authentication of public and private keys to ensure that they have the credentials to access and interact with GCP resources securely, gcloud uses a service account key pair consisting of a public key and a private key:
The private key is used by the service account to authenticate itself to the GCP services securely.
The public key is used by the GCP services to verify the authenticity of requests made by the service account.
These keys are generated as a json file that resides inside the working directory to authenticate the service account with gcloud. We can use the following code to create the key pair:
# Fetch the service account email by using the following commandgcloud iam service-accounts list --project=$PROJECT_ID# Save the service account generated from the above stepexport service_account=<your_service_account_email># Use the following code to complete this create the key pair# Use the `ls` command to verify if "account.json" file has been createdgcloud iam service-accounts \keys create account.json \--iam-account $service_account \--project $PROJECT_ID# You can list the keys using the following commandgcloud iam service-accounts \keys list \--iam-account $service_account \--project $PROJECT_ID
Policy binding: It is important to bind the desired
IAMroles on the newly created service account to access the project. We can bind the permission to the service account using the following command:
gcloud projects \add-iam-policy-binding $PROJECT_ID \--member serviceAccount:$service_account \--role roles/owner
Enabling the billing: To create and manage the resources inside this project, we must ensure that billing is enabled. To do this, we have to fetch the billing account ID and then link this project with this account using the following commands:
# Fetch the billing account IDgcloud billing accounts list# Export the IDexport BillingAccountID=<Billing_Account_ID># Enable billing for our projectgcloud billing projects link $PROJECT_ID --billing-account $BillingAccountID
Practice it all
To practice the commands associated with the above steps, execute the terminal available below, wait for the terminal to appear, and then execute the commands by copy-pasting the code from above.
Note: Make sure to replace all the placeholders with your credentials before executing the commands.
Free Resources