Reputation: 731
Google cloud gcloud enabling API services for service account email
How do I enable API services specifically for a service account and not a user account?
Context: I'm using a Python script to locally test a cloud function (query BQ, convert results to json, drop in GCS bucket). I can do this fine with my own test account where I'm able to enable services, but not sure how I would do it (or how a client would go about doing it) for a client's service account. This is how I do it for my own service account:
- Get service account credentials as json
- Follow installations for gcloud cloud sdk
- Issue:
gcloud auth activate-service-account --key-file="/path/to/json-todd-credentials.json" --project="json-todd" - Enable API services like so:
gcloud enable --account="[email protected]" cloudfunctions.googleapis.com pubsub.googleapis.com etc.
I have the client's service account json and I can auth activate-service-account the service account but I can't enable because I don't have permissions - but how would the client enable APIs it specifically for a service account on GCP without having to install/initialise/auth the service account in the way above?
Upvotes: 0
Views: 418
Answers (1)
Reputation: 75880
There is a misunderstanding I think. The API are enabled for a project, not for a service account (or a user account). Then, you have permissions to access to the API that you have activated.
If you have a service account, on a new project, without the API enable, there is no issue to grant this service account with the roles/serviceusage.serviceUsageAdmin. Like this, the service account will be able to activate the API on the project, possibly, ALL the API. BUT if the service account has only the permission to access to BigQuery (for example) and the service account activate the compute engine API, it won't be able to access to VM, even if, the API is enabled.
At the opposite, if the API are already enabled on the project, the service account doesn't need to have the roles/serviceusage.serviceUsageAdmin role granted, only the permission to use the activated API.
Upvotes: 2
Related Questions
- How to create a service account with Google Drive access
- Enable APIs using serviceusage API with a service account
- Google Cloud Function Calling Gmail API Using Service Account Domain-Wide Access
- Create service account credentials for gmail API
- Service account with google cloud not working
- API must be enabled for service account project
- How do I use gcloud with a service account?
- Error when activating Gmail API for my google service account
- GMail API with service account requires cloud account?
- GMail API + service accounts