Skip to main content
Welcome back. In a previous lesson we created:
  • a custom IAM role that allows listing Cloud Storage buckets and objects,
  • a service account, and
  • a service account key (JSON).
This article shows how to use that downloaded service account key locally so the gcloud CLI acts as the service account while you develop or test. Follow the steps below to authenticate, verify permissions, adjust role permissions if needed, and clean up local credentials.
Service account keys are sensitive. Store them only on trusted machines, delete them when no longer needed, and rotate keys if they are exposed.
What the service account key looks like Below is an example of the JSON key file you download from the Cloud Console. Your file will include the same fields; private_key is shortened here. 
{
  "type": "service_account",
  "project_id": "kodekloud-gcp-training",
  "private_key_id": "79980d36ed10010b4098be95fcf3ccdbf36bc404",
  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASC...\n-----END PRIVATE KEY-----\n",
  "client_email": "kodekloud-test-sa@kodekloud-gcp-training.iam.gserviceaccount.com",
  "client_id": "115919895903955568351",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/kodekloud-test-sa%40kodekloud-gcp-training.iam.gserviceaccount.com",
  "universe_domain": "googleapis.com"
}
Prerequisite: gcloud CLI Install and configure the gcloud CLI first: https://cloud.google.com/sdk/docs/install On macOS, if you see Python-related errors (for example ModuleNotFoundError: No module named 'imp'), point the Cloud SDK to a compatible Python binary. Example: 
export CLOUDSDK_PYTHON=/opt/homebrew/bin/python3.11
Step 1 — Activate the service account locally With the JSON key file in your working directory (here named kodekloud-gcp-training-79980d36ed10.json), run: 
gcloud auth activate-service-account --key-file=kodekloud-gcp-training-79980d36ed10.json
Expected response: 
Activated service account credentials for: [kodekloud-test-sa@kodekloud-gcp-training.iam.gserviceaccount.com]
Step 2 — Set the active project Set the project for subsequent gcloud commands. Permissions are evaluated against the project and resources in this context: 
gcloud config set project kodekloud-gcp-training
If you do not have access you might be prompted to confirm: 
WARNING: You do not appear to have access to project [kodekloud-gcp-training] or it does not exist.
Are you sure you wish to set property [core/project] to kodekloud-gcp-training?

Do you want to continue (Y/n)? Y

Updated property [core/project].
Step 3 — Verify the service account permissions Test an operation the custom role allows (list Cloud Storage buckets): 
gcloud storage ls
Example output (lists buckets visible to the service account): 
gs://data-proc-demo-kodekloud/
gs://dataflow-staging-us-central1-240657367796/
...
gs://temp_data_kodekloud/
Now test an operation that the custom role does not include (list Compute Engine instances): 
gcloud compute instances list
If the service account lacks compute.instances.list, you’ll see an error like: 
ERROR: (gcloud.compute.instances.list) Some requests did not succeed:
 - Required 'compute.instances.list' permission for 'projects/kodekloud-gcp-training'
Step 4 — Add missing permission to the custom role (if needed) If you require additional permissions, edit the custom role in the Cloud Console:
  1. Go to IAM & Admin → Roles.
  2. Open your custom role (e.g., kodekloud.storage.viewer).
  3. Click Edit role → Add permissions.
  4. Search for compute.instances.list, add it, and Update.
A Google Cloud Console screenshot showing the IAM & Admin "Edit role" page for a custom role (kodekloud.storage.viewer) with an "Add permissions" dialog open listing compute.instance permissions. The left side shows assigned storage permissions and role details.
After updating the role, rerun: 
gcloud compute instances list
If the service account now has compute.instances.list but there are no instances in the project, the command returns: 
Listed 0 items.
This confirms that local authentication and role permission changes are effective. Step 5 — Cleaning up and revoking local credentials When finished, list active accounts: 
gcloud auth list
Example output: 
Credentialed Accounts

ACTIVE  ACCOUNT
*       kodekloud-test-sa@kodekloud-gcp-training.iam.gserviceaccount.com

To set the active account, run:
 $ gcloud config set account `ACCOUNT`
Revoke the service account credentials from your local gcloud auth store: 
gcloud auth revoke kodekloud-test-sa@kodekloud-gcp-training.iam.gserviceaccount.com
Warning: revoking a service account token only removes local credentials. Service account tokens cannot be force-revoked like user OAuth tokens; they will expire automatically. To immediately prevent key use, delete the specific service account key or disable/delete the parent service account.
Revoking local credentials does not expire the underlying service account key. If a key is compromised, delete the key (or disable/delete the service account) immediately.
To delete the key you created: 
gcloud iam service-accounts keys delete KEY_ID \
  --iam-account=kodekloud-test-sa@kodekloud-gcp-training.iam.gserviceaccount.com
Quick reference — common gcloud commands used here
ActionCommandNotes
Activate service account with key filegcloud auth activate-service-account --key-file=KEY.jsonAuthenticates gcloud as the service account using the JSON key.
Set active projectgcloud config set project PROJECT_IDEnsures commands target the desired GCP project.
List Cloud Storage bucketsgcloud storage lsWorks only if the service account has storage list/view permissions.
List Compute Engine instancesgcloud compute instances listRequires compute.instances.list permission.
List credentialed accountsgcloud auth listShows which account is active locally.
Revoke a local accountgcloud auth revoke ACCOUNTRemoves local credentials from the gcloud auth store.
Delete a service account keygcloud iam service-accounts keys delete KEY_ID --iam-account=ACCOUNTPermanently removes the key so it can no longer be used.
Summary
  • Use gcloud auth activate-service-account --key-file=KEY.json to authenticate locally with a service account key.
  • Set the active project with gcloud config set project PROJECT_ID.
  • Test allowed operations (e.g., gcloud storage ls) and confirm denied operations (e.g., gcloud compute instances list).
  • Edit your custom role to add permissions if necessary, then re-run commands.
  • Revoke local credentials and delete service account keys when finished to reduce risk.
Links and references Thanks for reading.

Watch Video