Explaining GCP Service Account Keys

The aim of this page is to explain GCP service account keys and authorization based on the particular example of a service account key generated in JSON. The main insight is the separation of authentication (get into the cloud) and authorization (the ability to use this service and not that one, etc.) and the fact that service keys handle only the first bit.

• GCP service account key is similar to AWS access key ID and secret access key.
• Both are used for programmatic authentication to their respective cloud platforms.
• A service account is created within a specific GCP project and cannot be moved to a different project after creation.
• The service account key itself contains the project ID it belongs to.
• A GCP service account key in JSON format contains both the ID and the key within a single structure.
• It also includes fields like project_id, client_email, and client_id.

{
  "type": "service_account",
  "project_id": "PROJECT_ID",
  "private_key_id": "KEY_ID",
  "private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n",
  "client_email": "SERVICE_ACCOUNT_EMAIL",
  "client_id": "CLIENT_ID",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"
}

— https://cloud.google.com/iam/docs/keys-create-delete

• GCP service account keys are used for authentication, proving the identity of the service account.
• Authorization, which controls what resources the service account can access and what actions it can perform, is handled through Google Cloud’s Identity and Access Management (IAM).
• IAM policies are attached to GCP resources and define roles (sets of permissions) that service accounts (or user accounts) can have.

To limit access for a service account key:

• Grant least privilege
• Use custom roles
• Use short-lived credentials
• The process goes like this:

1. The service account uses its private key to authenticate itself to Google Cloud.
2. Google Cloud’s IAM service examines the IAM policies associated with the resources being accessed.
3. Based on the IAM policies, IAM grants or denies access to the requested resource.

ANKI

Question: What is a GCP service account key?
Answer: A GCP service account key is similar to AWS access key ID and secret access key and is used for programmatic authentication to Google Cloud platforms.

Question: What format does a GCP service account key come in?
Answer: A GCP service account key comes in JSON format and contains both the ID and the key within a single structure.

Question: How does authorization work with GCP service account keys? Answer: GCP service account keys themselves don’t directly determine authorization. They are used for authentication, proving the identity of the service account. Authorization is handled through Google Cloud’s Identity and Access Management (IAM).

Question: How can you limit access for a GCP service account key? Answer: You can limit access for a GCP service account key by granting least privilege, using custom roles, and using short-lived credentials.

Question: How does the IAM service work with GCP service account keys? Answer: The service account uses its private key to authenticate itself to Google Cloud. Then, Google Cloud’s IAM service examines the IAM policies associated with the resources being accessed. Finally, IAM grants or denies access to the requested resource based on the IAM policies.