# 1. Set restrictive permissions on key file chmod 600 service-account-key.json 2. Use Workload Identity Federation when possible (instead of keys) https://cloud.google.com/iam/docs/workload-identity-federation 3. Rotate keys regularly gcloud iam service-accounts keys list --iam-account=$SA_EMAIL gcloud iam service-accounts keys delete KEY_ID --iam-account=$SA_EMAIL 4. Audit key usage gcloud logging read "protoPayload.methodName="google.iam.admin.v1.CreateServiceAccountKey"" 5. Use temporary credentials gcloud auth print-access-token --impersonate-service-account=$SA_EMAIL 9. Troubleshooting Common Issues & Solutions | Issue | Solution | |-------|----------| | Permission denied | Check IAM roles: gcloud projects get-iam-policy PROJECT_ID | | Invalid JSON | Validate key: jq . key.json | | Token expired | Re-authenticate: gcloud auth revoke && gcloud auth activate... | | Project not set | Set project: gcloud config set project PROJECT_ID | | Quota exceeded | Check quota: gcloud services quota list | Debug Commands # Enable debug logging gcloud auth activate-service-account --key-file=key.json --log-http Check environment gcloud info --run-diagnostics List all active accounts gcloud auth list --filter="status=ACTIVE" 10. Cleanup & Logout # Revoke service account access gcloud auth revoke $SA_EMAIL Remove all credentials gcloud auth revoke --all Clear application default credentials rm -f ~/.config/gcloud/application_default_credentials.json This feature provides a complete, production-ready implementation for authenticating with service accounts in Google Cloud, suitable for automation, CI/CD, and secure deployments.
if [[ -n "$PROJECT_ID" ]]; then GCLOUD_CMD="$GCLOUD_CMD --project=$PROJECT_ID" fi gcloud login with service account
log_info() echo -e "$GREEN[INFO]$NC $1"; log_warn() echo -e "$YELLOW[WARN]$NC $1"; log_error() echo -e "$RED[ERROR]$NC $1"; KEY_FILE="" PROJECT_ID="" VERBOSE=false SET_ACTIVE=true Parse arguments while [[ $# -gt 0 ]]; do case $1 in --key-file|-k) KEY_FILE="$2" shift 2 ;; --project|-p) PROJECT_ID="$2" shift 2 ;; --verbose|-v) VERBOSE=true shift ;; --no-set-active) SET_ACTIVE=false shift ;; --help|-h) cat << EOF Usage: $0 [OPTIONS] Rotate keys regularly gcloud iam service-accounts keys list