# 1. Set restrictive permissions on key file chmod 600 service-account-key.json 2. Use Workload Identity Federation when possible (instead of keys) https://cloud.google.com/iam/docs/workload-identity-federation 3. Rotate keys regularly gcloud iam service-accounts keys list --iam-account=$SA_EMAIL gcloud iam service-accounts keys delete KEY_ID --iam-account=$SA_EMAIL 4. Audit key usage gcloud logging read "protoPayload.methodName="google.iam.admin.v1.CreateServiceAccountKey"" 5. Use temporary credentials gcloud auth print-access-token --impersonate-service-account=$SA_EMAIL 9. Troubleshooting Common Issues & Solutions | Issue | Solution | |-------|----------| | Permission denied | Check IAM roles: gcloud projects get-iam-policy PROJECT_ID | | Invalid JSON | Validate key: jq . key.json | | Token expired | Re-authenticate: gcloud auth revoke && gcloud auth activate... | | Project not set | Set project: gcloud config set project PROJECT_ID | | Quota exceeded | Check quota: gcloud services quota list | Debug Commands # Enable debug logging gcloud auth activate-service-account --key-file=key.json --log-http Check environment gcloud info --run-diagnostics List all active accounts gcloud auth list --filter="status=ACTIVE" 10. Cleanup & Logout # Revoke service account access gcloud auth revoke $SA_EMAIL Remove all credentials gcloud auth revoke --all Clear application default credentials rm -f ~/.config/gcloud/application_default_credentials.json This feature provides a complete, production-ready implementation for authenticating with service accounts in Google Cloud, suitable for automation, CI/CD, and secure deployments.
Examples: $0 --key-file ./sa-key.json $0 -k sa-key.json -p my-project $0 -k sa-key.json -v EOF exit 0 ;; *) log_error "Unknown option: $1" exit 1 ;; esac done if [[ -z "$KEY_FILE" ]]; then log_error "Key file is required. Use --key-file or -k" exit 1 fi gcloud login with service account
if [[ ! -f "$KEY_FILE" ]]; then log_error "Key file not found: $KEY_FILE" exit 1 fi if ! jq empty "$KEY_FILE" 2>/dev/null; then log_error "Invalid JSON in key file: $KEY_FILE" exit 1 fi Extract service account email SA_EMAIL=$(jq -r .client_email "$KEY_FILE") if [[ -z "$SA_EMAIL" || "$SA_EMAIL" == "null" ]]; then log_error "Invalid service account key: missing client_email" exit 1 fi Rotate keys regularly gcloud iam service-accounts keys list
log_info "Authenticating service account: $SA_EMAIL" GCLOUD_CMD="gcloud auth activate-service-account $SA_EMAIL --key-file=$KEY_FILE" Troubleshooting Common Issues & Solutions | Issue |
log_info() echo -e "$GREEN[INFO]$NC $1"; log_warn() echo -e "$YELLOW[WARN]$NC $1"; log_error() echo -e "$RED[ERROR]$NC $1"; KEY_FILE="" PROJECT_ID="" VERBOSE=false SET_ACTIVE=true Parse arguments while [[ $# -gt 0 ]]; do case $1 in --key-file|-k) KEY_FILE="$2" shift 2 ;; --project|-p) PROJECT_ID="$2" shift 2 ;; --verbose|-v) VERBOSE=true shift ;; --no-set-active) SET_ACTIVE=false shift ;; --help|-h) cat << EOF Usage: $0 [OPTIONS]