Account !link! - Gcloud Login With Service

# 1. Set restrictive permissions on key file chmod 600 service-account-key.json 2. Use Workload Identity Federation when possible (instead of keys) https://cloud.google.com/iam/docs/workload-identity-federation 3. Rotate keys regularly gcloud iam service-accounts keys list --iam-account=$SA_EMAIL gcloud iam service-accounts keys delete KEY_ID --iam-account=$SA_EMAIL 4. Audit key usage gcloud logging read "protoPayload.methodName="google.iam.admin.v1.CreateServiceAccountKey"" 5. Use temporary credentials gcloud auth print-access-token --impersonate-service-account=$SA_EMAIL 9. Troubleshooting Common Issues & Solutions | Issue | Solution | |-------|----------| | Permission denied | Check IAM roles: gcloud projects get-iam-policy PROJECT_ID | | Invalid JSON | Validate key: jq . key.json | | Token expired | Re-authenticate: gcloud auth revoke && gcloud auth activate... | | Project not set | Set project: gcloud config set project PROJECT_ID | | Quota exceeded | Check quota: gcloud services quota list | Debug Commands # Enable debug logging gcloud auth activate-service-account --key-file=key.json --log-http Check environment gcloud info --run-diagnostics List all active accounts gcloud auth list --filter="status=ACTIVE" 10. Cleanup & Logout # Revoke service account access gcloud auth revoke $SA_EMAIL Remove all credentials gcloud auth revoke --all Clear application default credentials rm -f ~/.config/gcloud/application_default_credentials.json This feature provides a complete, production-ready implementation for authenticating with service accounts in Google Cloud, suitable for automation, CI/CD, and secure deployments.

Examples: $0 --key-file ./sa-key.json $0 -k sa-key.json -p my-project $0 -k sa-key.json -v EOF exit 0 ;; *) log_error "Unknown option: $1" exit 1 ;; esac done if [[ -z "$KEY_FILE" ]]; then log_error "Key file is required. Use --key-file or -k" exit 1 fi

# Display current configuration if $VERBOSE; then echo "" log_info "Current configuration:" gcloud config list echo "" log_info "Auth info:" gcloud auth list fi else log_error "Authentication failed" exit 1 fi if $VERBOSE; then log_info "Testing access..." if gcloud projects describe "$(gcloud config get-value project 2>/dev/null)" &>/dev/null; then log_info "✓ Access test passed" else log_warn "Access test failed - check IAM permissions" fi fi 4. Usage Examples Basic authentication ./gcloud-sa-login.sh --key-file ./my-key.json With project and verbose output ./gcloud-sa-login.sh -k ./my-key.json -p my-project -v Using jq to extract email # One-liner gcloud auth activate-service-account \ $(jq -r .client_email key.json) \ --key-file=key.json 5. Verification Commands # Check active account gcloud auth list Get current account email gcloud config get-value account Test authentication with API call gcloud projects list Get access token (useful for debugging) gcloud auth print-access-token Get identity token gcloud auth print-identity-token Check service account permissions gcloud iam service-accounts get-iam-policy $SA_EMAIL 6. Docker Integration FROM google/cloud-sdk:latest Copy service account key COPY service-account-key.json /tmp/gcloud-key.json Authenticate RUN gcloud auth activate-service-account $(jq -r .client_email /tmp/gcloud-key.json) --key-file=/tmp/gcloud-key.json --project=my-project Clean up key for security RUN rm /tmp/gcloud-key.json Set default project ENV CLOUDSDK_CORE_PROJECT=my-project gcloud login with service account

log_info "Authenticating service account: $SA_EMAIL" GCLOUD_CMD="gcloud auth activate-service-account $SA_EMAIL --key-file=$KEY_FILE"

if [[ -n "$PROJECT_ID" ]]; then GCLOUD_CMD="$GCLOUD_CMD --project=$PROJECT_ID" fi Rotate keys regularly gcloud iam service-accounts keys list

log_info() echo -e "$GREEN[INFO]$NC $1"; log_warn() echo -e "$YELLOW[WARN]$NC $1"; log_error() echo -e "$RED[ERROR]$NC $1"; KEY_FILE="" PROJECT_ID="" VERBOSE=false SET_ACTIVE=true Parse arguments while [[ $# -gt 0 ]]; do case $1 in --key-file|-k) KEY_FILE="$2" shift 2 ;; --project|-p) PROJECT_ID="$2" shift 2 ;; --verbose|-v) VERBOSE=true shift ;; --no-set-active) SET_ACTIVE=false shift ;; --help|-h) cat << EOF Usage: $0 [OPTIONS]

Options: -k, --key-file PATH Service account JSON key file (required) -p, --project ID GCP project ID (optional) -v, --verbose Enable verbose output --no-set-active Don't set as active account -h, --help Show this help message Troubleshooting Common Issues & Solutions | Issue |

if $VERBOSE; then log_info "Running: $GCLOUD_CMD" set -x fi if $GCLOUD_CMD; then log_info "✓ Authentication successful"