How to use multiple service accounts with gcloud?

Question

I have two Google Cloud service accounts; one for each of my two projects.

# ACCOUNTS
editor@someproj-1.iam.gserviceaccount.com
editor@someproj-2.iam.gserviceaccount.com

I can tell gcloud which account I need to use before executing a command:

gcloud set account [ACCOUNT]

Question: Is there any way I can configure gcloud and gsutil so that they'll be used for operations performed in their respective project without me having to switch between these accounts manually all the time?

---

I'm managing instances in one project and I upload/download files from buckets in another project. It becomes quite tedious to have to perform gcloud set_account [ACCOUNT] all the time in-between commands.

I need to be running long-running commands in both projects at the same time which causes me to think I will fall into a pit if I activate/de-activate the accounts used for these commands.

Perhaps my only option is to run google-cloud-sdk from two different Docker containers?

Answer 1

Zachary's answer is pretty useful, but there's an easier way to use gcloud's configurations.

Run gcloud config configurations list to display a list of your configurations. If you haven't made any, it'll just list default with whatever your current account, project, etc that are active.

Create a new configuration with gcloud config configurations create [config name]:

> gcloud config configurations create testconfig
Created [testconfig].
Activated [testconfig].

The new configuration will now be active, so go ahead and set it up with gcloud init:

> gcloud init
Welcome! This command will take you through the configuration of gcloud.

It will then ask you a series of questions:

• When it asks you to pick a configuration to use, pick [1] Re-initialize this configuration [testconfig] with new settings.
• It will then ask you to choose or log in to an account.
• It will then ask you to choose or create a project.
• Finally, it will ask whether you want to set a default zone for your project. It's up to you; on projects where everything is in the same zone, go ahead and set it.

 

Your Google Cloud SDK is configured and ready to use!

Switch accounts using gcloud config configurations activate [config name].

Answer 2

You have several options here:

• The Cloud SDK respects environment variables specifying properties. gcloud config set account is shorthand for gcloud config set core/account, so the corresponding property is CLOUDSDK_CORE_ACCOUNT.

  You can do something like:

  $ CLOUDSDK_CORE_ACCOUNT=email1@domain1.com gcloud ...
  $ CLOUDSDK_CORE_ACCOUNT=email2@domain2.com gcloud ...
  

  Which should get you the result you're interested in.

• If you need more than one property changed, the Cloud SDK offers a named configuration abstraction. See the docs for full details, but you can run:

  $ gcloud config configurations create my-project1-config
  $ gcloud config configurations activate my-project1-config
  $ gcloud auth login  # or activate-service-account
  $ gcloud config set project project1  # and any other configuration you need to do
  $ 
  $ gcloud config configurations create my-project2-config
  $ gcloud config configurations activate my-project2-config
  $ gcloud auth login  # or activate-service-account
  $ gcloud config set project project2  # and any other configuration you need to do
  $
  $ CLOUDSDK_ACTIVE_CONFIG_NAME=my-project1-config gcloud ...
  $ CLOUDSDK_ACTIVE_CONFIG_NAME=my-project2-config gcloud ...
  

• In the most extreme case, you can maintain separate Cloud SDK configuration directories. The default (on *nix) is ~/.config/gcloud:

  $ CLOUDSDK_CONFIG=/tmp/tmpconfig1 gcloud auth login
  $ CLOUDSDK_CONFIG=/tmp/tmpconfig2 gcloud auth login