How to create API Keys in GCP using service accont

Question

I have a service account with Owner permissions on the project (Just for testing this out) Still I am not able to create API Keys using that service account via gcloud. It says "Permission Denied" I am using the following commands.

1.
gcloud auth activate-service-account <Service-account>@<project-id>.iam.gserviceaccount.com --key-file=<key-file>.json

2.
gcloud auth list //Gives the service account name

3.
gcloud alpha services api-keys create --display-name=dummy 

The above command works if I authenticate as a normal user with Owner permission but with service account it doesn't seems to work. Am I missing something ? Please help.

Answer 1

The APIKEY Api has a strange history. Relesed in Beta about 1 years ago, and now go back to Alpha. There is no public documentation (in reality it has been removed) and if you know this API, you have found it on SO or on old tutorial.

Anyway, just to say that it's not a reliable API and if you want to automate stuff on it (with call with a service account) it's not a good idea. In addition, sometime, APIs don't allow service account call but require user credentials. It was the case previously with the quota APIs, but it has been updated recently (this summer 2020).

Eventually, Google Cloud don't recommend to use APIKEY for security reason (we can discuss this more if you want). And thus, I don't think it is in its (security and best practice) strategy to promote an API that allows APIKEY automation.