How to set Google Cloud application credentials for a Service Account

3
votes

The following command allows you to set your default credentials:

 gcloud auth application-default login

It opens up a window (unless you use --no-launch-browser) and allows you to connect your account. It creates a local json file that contains your credentials, which will be picked up when an application uses the Google Cloud SDK.

However, if I'd like to set my application credentials to a service account as follows:

 gcloud auth application-default login \
--impersonate-service-account=saname@project.iam.gserviceaccount.com

This still allows me to authenticate in the browser, but it seems to load the credentials for my user account, not for the service account.

Is there anyway to achieve this? I.e., service account set as application default, without the need for a service account file.

Note: I do have the rights to impersonate the Service Account

1
google-cloud-platformgcloudservice-accountsgoogle-cloud-iam
I wrote an article that shows the steps to use user credentials to impersonate a service account. No service JSON key file is required. jhanley.com/google-cloud-improving-security-with-impersonationJohn Hanley

1 Answers

1
votes

gcloud auth application-default login uses the active|specified user account to create a local JSON file that behaves like a service account.

I assume -- correct? -- that, even though your user account is permitted to impersonate the ServiceAccount, using your user account as ADC does not work. I don't know why that is.

The alternative is to use gcloud auth activate-service-account but, as you know, you will need to have the service account's credentials as these will be used instead of the credentials created by application-default login.