Service Accounts



# Enter your own options:

# Choose a role using the link above.
# Here are some basic options, but choose a more fine-grained role(s) if you can.
# ROLE="roles/editor"
# ROLE="roles/owner"  # Try to avoid the owner role, but here it is for convenience.

# Set this verbatim

Create a service account, assign a role, and download a key file

If you are accessing a new project (or perhaps deactivated previous settings) you’ll need to connect gcloud to the project via a user account (e.g. a Gmail address) that has access. If you are not accessing a new project, you likely do not need to do this.

gcloud init
# follow prompts and connect to the project

Create, assign, download:

# Create the service account
gcloud iam service-accounts create "$SERVICE_ACCOUNT_NAME"

# Assign the service account a role, which gives it permissions
gcloud projects add-iam-policy-binding "$GOOGLE_CLOUD_PROJECT" \
    --member="serviceAccount:${SERVICE_ACCOUNT}" \

# Create and download an auth key file
gcloud iam service-accounts keys create "$GOOGLE_APPLICATION_CREDENTIALS" \

Switch the Service Account your API calls use

This activates the service account for gcloud and bq calls:

gcloud auth activate-service-account \
    --project="$GOOGLE_CLOUD_PROJECT" \

To activate for Python calls, you just need to set the environment variables GOOGLE_CLOUD_PROJECT and GOOGLE_APPLICATION_CREDENTIALS.