gcloud auth activate-service-account [ERROR] Please ensure provided key file is valid
I've spent already several hours with this problem but it seems that I can't activate a service account to develop locally an App Engine project (If I deploy teh project it authenticates well since the credentials are injected as an env variable).
The problem
I created a new service account under IAM on the GC Platform.
The service account is created correctly I can see it through the console and theUnder service account I generated a new JSON key -> key.json
in the console I used gcloud auth activate-service-account --key file=key.json
Code
{
"type": "service_account",
<br> "project_id": "[project id]",
<br> "private_key_id": "[private_key_id]",
<br> "private_key": "[private_key]",
<br> "client_email": "[name]",
<br> "client_id": "[clien id]",
<br> "auth_uri": "https://accounts.google.com/o/oauth2/auth",
<br> "token_uri": "https://accounts.google.com/o/oauth2/token",
<br> "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
<br> "client_x509_cert_url":
"https://www.googleapis.com/robot/v1/metadata/x509/[client_email]"
<br> }
I receive the error message ERROR: (gcloud.auth.activate-service-account) Failed to activate the given service account. Please ensure provided key file is valid.
After trying everything what I could I found that in the docs the service account key indeed has a different structure. https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys I have no idea however why the downloaded key structure is not good.
Did anybody encounter this issue? Any solutions?
Answer
I haven't found any great documentation on this, but you definitely want the first type of file and creating it through the Cloud Console should work. I believe it's referenced to as a Google Credentials file. The downloaded JSON file should look something like:
{
"type": "service_account",
"project_id": "project-id",
"private_key_id": "some_number",
"private_key": "-----BEGIN PRIVATE KEY-----\n....
=\n-----END PRIVATE KEY-----\n",
"client_email": "<api-name>[email protected]",
"client_id": "...",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/...<api-name>api%40project-id.iam.gserviceaccount.com"
}
The second link you posted will also create a service account key and a Google Credentials file, but it's probably more work than you want (the Google Credentials file is encoded under the privateKeyData field.
Hopefully that explains the files; good luck authenticating! My only suggestion for that is that maybe you've spelled the command wrong? It should be:
gcloud auth activate-service-account --key-file=key.json
whereas you've typed
gcloud auth activate-service-account --key file=key.json
ie, with a space after --key. Let us know if you figure it out!