Creating a Google Cloud Platform service account key

Some context… A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs.

Lately I have been helping customers that are using CDAP, an 100% open source, integrated framework that accelerates application development for data analytics. Specifically around creating and connecting to Google Cloud Storage as a source to ingest and do data preparation (a.k.a data wrangling). The following post demonstrates how to create an API key file that can be used for any type of application that requires connectivity to Google APIs.

An important note. A little over a year ago, Google acquired Cask Data (creator of CDAP) » fast forward to which Google recently unveiled a cloud native data integration and ETL service called Cloud Data Fusion. More on that in future posts… ;-)

Let’s do this!

Log on to the GCP console

Go to the GCP console and log in using your Google account

Selecting a GCP project

You need to select a project. If you don’t have any projects then go to the project selector page to create one - For this demonstration I have created and using a specific project named cdap-gcs.

sak-01

If the GCP project you want to use is not the one shown or selected, click the project name (1), then select the name of the GCP project you want to use (2), and click on Open (3).

sak-02

Creating a GCP service account key

In this section you create a GCP service account key

Select menu icon at the top of the screen (1), hover your cursor over APIs & Services (2), and select Credentials (3).

sak-03

This brings you to the Credentials page. Click on the Create credentials (1) and hover your cursor over Service account key (2) and click.

sak-04

Next follow these steps to create a service account key:

  1. Select New service account
  2. Enter a name for the Service account name
  3. Click on Select a role.
  4. Hover your cursor over to Storage.
  5. And select Storage Admin.
  6. Then click Create to download your key file.
sak-05

A confirmation will display that your service account key was downloaded. It is best practices to store your keys in a safe and secure location on your computer!

sak-06

You now can view a list of your service account keys from the Credentials menu item.

With that, you have successfully created a GCP service account key. You will need to register the service account file you downloaded into the application to connect to GCP services.

sak-07

Using the gcloud command

Now let’s see how you would do the same thing, but from the command line interface using gcloud commands.

First let’s make sure you are setting and using to the right project. In this demonstration I am setting it to the cdap-gcs project I already created.

Reference: https://cloud.google.com/sdk/gcloud/reference/config/set

gcloud config set project cdap-gcs

Next you create a service account named cdap-gcs.

Reference: https://cloud.google.com/iam/docs/creating-managing-service-accounts

gcloud beta iam service-accounts create cdap-gcs \
    --display-name "cdap-gcs"

Then create a service account key, in this demonstration named key.json using the IAM service account you just created cdap-gcs@cdap-gcs.iam.gserviceaccount.com.

Reference: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/keys/create

gcloud beta iam service-accounts keys create ~/key.json \
  --iam-account cdap-gcs@cdap-gcs.iam.gserviceaccount.com

And finally you add an IAM policy binding with the roles/storage.admin role to the service account member. cdap-gcs@cdap-gcs.iam.gserviceaccount.com

Reference: https://cloud.google.com/sdk/gcloud/reference/beta/projects/add-iam-policy-binding

gcloud beta projects add-iam-policy-binding cdap-gcs \
  --member serviceAccount:cdap-gcs@cdap-gcs.iam.gserviceaccount.com \
  --role roles/storage.admin

Output

sak-08

That’s it! You’ve just created a GCP service account key.
Enjoy!

comments powered by Disqus