This guide explains the steps required to grant a user the necessary permissions to export service account keys (as JSON files) in Google Cloud. These keys allow users or applications to authenticate with Google Cloud services.
Steps to Grant Permissions
Assign the Service Account Key Admin Role
The Service Account Key Admin role (roles/iam.serviceAccountKeyAdmin) is required to manage and export service account keys. Follow these steps:
Using the Google Cloud Console
Navigate to the IAM & Admin Page.
Select your organization or the specific project.
Click “Add” to add a new principal.
Enter the user’s email address.
In the “Select a role” dropdown, choose “Service Account Key Admin”.
Click “Save” to apply the changes.
Using the gcloud Command-Line Tool
Run the following command to assign the role:
gcloud organizations add-iam-policy-binding [ORGANIZATION_ID] \
--member=user:[USER_EMAIL] \
--role=roles/iam.serviceAccountKeyAdmin
Replace:
[ORGANIZATION_ID] with your organization ID.
[USER_EMAIL] with the user’s email address.
This role grants the ability to create, upload, and manage service account keys.
Assign the Service Account User Role
The Service Account User role (roles/iam.serviceAccountUser) allows users to manage specific service accounts and generate keys for them.
Using the Google Cloud Console
Navigate to the Service Accounts Page.
Select the project containing the service account.
Click on the email address of the desired service account.
Go to the “Permissions” tab.
Click “Add” to add a new principal.
Enter the user’s email address.
In the “Select a role” dropdown, choose “Service Account User”.
Click “Save” to apply the changes.
Using the gcloud Command-Line Tool
Run the following command:
gcloud iam service-accounts add-iam-policy-binding [SERVICE_ACCOUNT_EMAIL] \
--member=user:[USER_EMAIL] \
--role=roles/iam.serviceAccountUser
Replace:
[SERVICE_ACCOUNT_EMAIL] with the service account’s email address.
[USER_EMAIL] with the user’s email address.
This role allows the user to act as the service account and generate keys.
Important Notes
Security Best Practices
Service Account Keys are sensitive credentials. Follow these best practices:
Rotate keys regularly.
Store keys securely (e.g., in a secret management tool).
Avoid sharing keys unnecessarily.
Limit key usage to specific users or applications.
Organization Policy Constraints
Your organization might enforce policies restricting the creation or upload of service account keys. Ensure these policies are reviewed and updated as necessary to allow the required actions.
References
By following the instructions in this document, you can grant users the ability to export and manage service account keys while maintaining secure access control.