Service Accounts

References:

Setup

# Enter your own options:
GOOGLE_CLOUD_PROJECT="project-id"
GOOGLE_APPLICATION_CREDENTIALS="path/to/GCP_auth_key.json"
SERVICE_ACCOUNT_NAME="my-account"

# Choose a role using the link above.
# Here are some basic options, but choose a more fine-grained role(s) if you can.
ROLE="roles/viewer"
# ROLE="roles/editor"
# ROLE="roles/owner"  # Try to avoid the owner role, but here it is for convenience.

# Set this verbatim
SERVICE_ACCOUNT="${SERVICE_ACCOUNT_NAME}@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com"

Create a service account, assign a role, and download a key file

If you are accessing a new project (or perhaps deactivated previous settings) you’ll need to connect gcloud to the project via a user account (e.g. a Gmail address) that has access. If you are not accessing a new project, you likely do not need to do this.

gcloud init
# follow prompts and connect to the project

Create, assign, download:

# Create the service account
gcloud iam service-accounts create "$SERVICE_ACCOUNT_NAME"

# Assign the service account a role, which gives it permissions
gcloud projects add-iam-policy-binding "$GOOGLE_CLOUD_PROJECT" \
    --member="serviceAccount:${SERVICE_ACCOUNT}" \
    --role="$ROLE"

# Create and download an auth key file
gcloud iam service-accounts keys create "$GOOGLE_APPLICATION_CREDENTIALS" \
    --iam-account="$SERVICE_ACCOUNT"

Switch the Service Account your API calls use

This activates the service account for gcloud and bq calls:

gcloud auth activate-service-account \
    --project="$GOOGLE_CLOUD_PROJECT" \
    --key-file="$GOOGLE_APPLICATION_CREDENTIALS"

To activate for Python calls, you just need to set the environment variables GOOGLE_CLOUD_PROJECT and GOOGLE_APPLICATION_CREDENTIALS.