Google Cloud : Security with Service Accounts # made Simple?
1 min readAug 14, 2018
*******************************************************************Google cloud : security landscape
- Service account is an Identity
- SA is always attached to a single GCP Project ID
- Each SA has its own Private Key
- Keep Private key secured
- Rotate Private key frequently
- we can attach SA to an GCP resource : VM, Container, Pod, etc
- using SA : private key -> you can access GCP API and Service calls
- Using SA Private Key, the User can generate a signed JSON Web Token
*******************************************************************How to use SA : Private key
(Create JWT Token -> Token is Signed with SA Private Key ->Use Signed JWT Token to get new Google Token -> use Google Token to call GCP API)
*******************************************************************Attributes of SA:
- SA_email_id = “service_account_name@GCP_Proj_Name.iam.gservice_account.com”
- SA = “projects/GCP_Proj_name/ServiceAccounts/”+SA_email_id
*******************************************************************
Contents of Service account : credentials file
- Type = Service Account
- Project ID = GCP Project ID
- Private Key id = ***
- Private key = hash_value**
- client_email=svc_acct_name@GCP_proj_name.iam.serviceaccount.com
- client_id =****
- auth_uri = google auth
- token_uri = google auth token
- auth_provider_X509_cert_url = google api oauth2
- client_X509_cert_url =google metadata
*******************************************************************
