GCloud universal service account

gcloudgoogle-cloud-identitygoogle-cloud-platform

I have around 8 projects created under my GCloud account and it might increase in future.

I am trying to manage inventory and other activity related to all the projects from single place using automation. It becomes very critical to manage 10+ service account keys and keep rotating them in regular interval.

Is there any option to manage all projects using single service account?

Thank you

Best Answer

You can grant access for a service account to any Google Cloud Platform resource you'd like. Your service account has an associated @gserviceaccount.com email address; you can go in the Cloud Console under the "IAM and Admin" tab and grant access to that service account to an entire project.

I'd urge you to exercise caution in doing something like that, however; the more permissions you give a service account, the more of a crisis it will cause if that account is compromised.

Related Solutions

How to use GOOGLE_APPLICATION_CREDENTIALS with gcloud on a server

gcloud generally does not use GOOGLE_APPLICATION_CREDENTIALS environment variable. It only has some commands to facilitate setting up these application default credentials in gcloud auth application-default [login|revoke|print-access-token...].

By default gcloud stores its configuration in ${HOME}/.config/gcloud. It is possible to override that location by setting CLOUDSDK_CONFIG environment variable.

Also it is possible (though more tedious) to override most setting so that they do not need to be preconfigured via gcloud config set ... and/or gcloud auth activate-service-account. For each setting one can specify environment variable.

For example the equivalent command you tried to use service account key file would be:

$ CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=/etc/my-service-account-4b4b6e63aaed.json \
    gcloud alpha pubsub topics publish testtopic hello

Note that this will still cache credentials in CLOUDSDK_CONFIG since it needs to cache access-token, so that it wont have to refresh it on each invocation.

For your use case best option in my view would be

Set CLOUDSDK_CONFIG to some temp directory
gcloud auth activate-service-account --key-file=...
... use gcloud to do your work ...
Remove temp CLOUDSDK_CONFIG directory.

Mysql – Passwordless user for Google Cloud SQL (MySQL) using Cloud SQL Proxy

Basically, it seems like the Cloud SQL Proxy does not enable authenticating to a specific MySQL user via an IAM Service Account. Is this correct?

That is correct. The Cloud SQL Proxy doesn't offer any mechanisms for restricting which MySQL users you have access to when you connect using the proxy. Connections made through the proxy are only restricted by whatever IAM roles are assigned to them. The mechanism for restricting which accounts can access which users is to use password protection.

Best Answer

Related Solutions

How to use GOOGLE_APPLICATION_CREDENTIALS with gcloud on a server

Mysql – Passwordless user for Google Cloud SQL (MySQL) using Cloud SQL Proxy

Related Topic