Skip to content
Latchkey

gcloud auth activate-service-account: Authenticate CI

Activate a Google Cloud service account from a key file so gcloud can run non-interactively.

gcloud auth activate-service-account authorizes the gcloud CLI using a service account key, which is the classic way to authenticate automated pipelines. Modern setups prefer Workload Identity Federation, but key-file activation is still common in CI. After activation, every gcloud command runs as that service account.

Common flags

  • --key-file=PATH - JSON key file to authenticate with
  • ACCOUNT - the service account email (positional, optional with --key-file)
  • --project=PROJECT_ID - set the active project at the same time

Example in CI

Write the secret to a file, then activate it.

shell
echo "${{ secrets.GCP_SA_KEY }}" > /tmp/sa.json
gcloud auth activate-service-account --key-file=/tmp/sa.json --project=my-project

Common errors in CI

  • Could not read json file ... No such file or directory - key file path wrong or secret never written
  • Failed to activate the given service account ... invalid_grant - key revoked or clock skew on the runner
  • The caller does not have permission - the service account lacks the IAM role the command needs

Key takeaways

  • Authenticates gcloud non-interactively from a JSON service account key.
  • Write the secret to a file first, then point --key-file at it.
  • Prefer Workload Identity Federation over long-lived keys when possible.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →