1

I have a service account with Owner permissions on the project (Just for testing this out) Still I am not able to create API Keys using that service account via gcloud. It says "Permission Denied" I am using the following commands.

1.
gcloud auth activate-service-account <Service-account>@<project-id>.iam.gserviceaccount.com --key-file=<key-file>.json

2.
gcloud auth list //Gives the service account name

3.
gcloud alpha services api-keys create --display-name=dummy

The above command works if I authenticate as a normal user with Owner permission but with service account it doesn't seems to work. Am I missing something ? Please help.

Improve this question
3
  • Don't forget to define the key file path Commented Dec 20, 2020 at 14:30
  • Thanks Dany. I have specified it already. Commented Dec 20, 2020 at 18:23
  • Can you say more about how it's not working? Failing with an error? Hanging indefinitely? Finishing up nicely but doesn't actually create the key? Commented Jan 23, 2021 at 2:49

1 Answer 1

Reset to default
1

The APIKEY Api has a strange history. Relesed in Beta about 1 years ago, and now go back to Alpha. There is no public documentation (in reality it has been removed) and if you know this API, you have found it on SO or on old tutorial.

Anyway, just to say that it's not a reliable API and if you want to automate stuff on it (with call with a service account) it's not a good idea. In addition, sometime, APIs don't allow service account call but require user credentials. It was the case previously with the quota APIs, but it has been updated recently (this summer 2020).

Eventually, Google Cloud don't recommend to use APIKEY for security reason (we can discuss this more if you want). And thus, I don't think it is in its (security and best practice) strategy to promote an API that allows APIKEY automation.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you for the insight. This has helped however I wanted to know what other security mechanisms can be used to secure access to your api-gateway or lets say cloud endpoint urls?
That's a good question!! If it's user oriented application, Firebase Auth is the right solution. If it's server to server call, and the server at the initiative of the call can't generate OAuth2 credentials based on a service account key file, you can use.... API KEY!!! Yes, I know it's frustrating, because it's the only solution and you can't automate it... I already talked about this to apigateway PM, he had to send me info, but I never received input on this case...

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.