gcloud auth activate-service-account: Authenticate CI
Activate a Google Cloud service account from a key file so gcloud can run non-interactively.
gcloud auth activate-service-account authorizes the gcloud CLI using a service account key, which is the classic way to authenticate automated pipelines. Modern setups prefer Workload Identity Federation, but key-file activation is still common in CI. After activation, every gcloud command runs as that service account.
Common flags
--key-file=PATH- JSON key file to authenticate withACCOUNT- the service account email (positional, optional with --key-file)--project=PROJECT_ID- set the active project at the same time
Example in CI
Write the secret to a file, then activate it.
shell
echo "${{ secrets.GCP_SA_KEY }}" > /tmp/sa.json
gcloud auth activate-service-account --key-file=/tmp/sa.json --project=my-projectCommon errors in CI
- Could not read json file ... No such file or directory - key file path wrong or secret never written
- Failed to activate the given service account ... invalid_grant - key revoked or clock skew on the runner
- The caller does not have permission - the service account lacks the IAM role the command needs
Key takeaways
- Authenticates gcloud non-interactively from a JSON service account key.
- Write the secret to a file first, then point --key-file at it.
- Prefer Workload Identity Federation over long-lived keys when possible.
Related guides
gcloud auth configure-docker: Push Images in CIConfigure Docker to authenticate to Artifact Registry and GCR via gcloud: flags, a CI example, and the auth e…
gcloud run deploy: Ship to Cloud Run in CIDeploy a container or source to Cloud Run from a pipeline: the flags you need, a CI example, and the deploy e…
gcloud secrets versions access: Read Secrets in CIRead a Secret Manager secret value from a pipeline: required arguments, a CI example, and the access errors y…