Service Accounts¶
References:
Understanding roles, also contains a list of roles and definitions.
Setup¶
# Enter your own options:
GOOGLE_CLOUD_PROJECT="project-id"
GOOGLE_APPLICATION_CREDENTIALS="path/to/GCP_auth_key.json"
SERVICE_ACCOUNT_NAME="my-account"
# Choose a role using the link above.
# Here are some basic options, but choose a more fine-grained role(s) if you can.
ROLE="roles/viewer"
# ROLE="roles/editor"
# ROLE="roles/owner" # Try to avoid the owner role, but here it is for convenience.
# Set this verbatim
SERVICE_ACCOUNT="${SERVICE_ACCOUNT_NAME}@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com"
Create a service account, assign a role, and download a key file¶
If you are accessing a new project (or perhaps deactivated previous settings)
you’ll need to connect gcloud
to the project via a
user account (e.g. a Gmail address) that has access.
If you are not accessing a new project, you likely do not need to do this.
gcloud init
# follow prompts and connect to the project
Create, assign, download:
# Create the service account
gcloud iam service-accounts create "$SERVICE_ACCOUNT_NAME"
# Assign the service account a role, which gives it permissions
gcloud projects add-iam-policy-binding "$GOOGLE_CLOUD_PROJECT" \
--member="serviceAccount:${SERVICE_ACCOUNT}" \
--role="$ROLE"
# Create and download an auth key file
gcloud iam service-accounts keys create "$GOOGLE_APPLICATION_CREDENTIALS" \
--iam-account="$SERVICE_ACCOUNT"
Switch the Service Account your API calls use¶
This activates the service account for gcloud
and bq
calls:
gcloud auth activate-service-account \
--project="$GOOGLE_CLOUD_PROJECT" \
--key-file="$GOOGLE_APPLICATION_CREDENTIALS"
To activate for Python calls, you just need to set the environment variables
GOOGLE_CLOUD_PROJECT
and GOOGLE_APPLICATION_CREDENTIALS
.