gcloud auth activate-service-account: Usage & CI Errors
Authenticate gcloud as a service account using a key file - the legacy CI path.
gcloud auth activate-service-account authenticates the CLI as a service account from a JSON key file. It works in CI, but Workload Identity Federation (keyless) is now the recommended approach.
What it does
The command reads a service-account JSON key (--key-file) and activates that identity for subsequent gcloud commands. The service-account email is taken from the key, so all that key’s IAM roles apply. Because long-lived keys are a security liability, prefer Workload Identity Federation when possible.
Common usage
# Activate a service account from a key file
gcloud auth activate-service-account \
--key-file=sa-key.json
# In CI you may write the key from a secret first
echo "$GCP_SA_KEY" > sa-key.json
gcloud auth activate-service-account --key-file=sa-key.json
gcloud config set project my-projectCommon error in CI: "Invalid JSON key" / disabled key
Activation fails with "Could not read json file ... Invalid JSON" when the secret was truncated or echoed with extra quoting, or "Failed to activate ... key is disabled/expired" when the key was rotated. Fix: write the secret to a file without altering it (mind base64 encoding - base64 -d if you stored it encoded), and ensure the key is enabled and the service account exists. Better: switch to keyless google-github-actions/auth with Workload Identity Federation so there is no key to leak or rotate.
Key options
| Option | Purpose |
|---|---|
| --key-file | Service-account JSON key path |
| --project | Set the active project at activation |
| gcloud auth list | Confirm the active account |