What Does Service account key Mean?
On This Page
Quick Definition
A service account key is like a digital ID card for an app or a server, not a person. It lets that app prove its identity to Google Cloud so it can read files, start instances, or make API calls. The key file contains a private key and is used to create signed tokens for authentication. It is a critical security credential that must be stored and managed carefully.
Commonly Confused With
An API key is a simple identifier used to authenticate callers to Google Cloud APIs without a signed JWT. API keys are not tied to a service account identity and do not grant access to user-specific resources. Service account keys, on the other hand, are used to generate OAuth 2.0 access tokens that represent a specific service account identity with IAM permissions. API keys are easier to use but less secure and provide no identity granularity.
Using an API key is like using a generic door code that works for everyone. Using a service account key is like using a personalized employee badge that logs your entries.
User account credentials belong to a human user, often managed through Google Workspace or Cloud Identity. They are used for interactive login via gcloud or web console. Service account keys belong to a non-human identity and are meant for applications. User credentials are typically short-lived, while service account keys can be long-lived. Mixing these up leads to permission errors when an automated script tries to use user credentials that may expire.
A user account is like a human employee who can log in with a password and 2FA. A service account is like a robot that uses a keycard. The robot cannot use a human password, and the human cannot use the robot's keycard.
Every Compute Engine instance has a default service account attached, and you can attach a custom service account instead. When using a Compute Engine instance, you can authenticate to Google APIs without a service account key file because the instance metadata server provides short-lived access tokens automatically. This is the preferred method for workloads running on Compute Engine. A service account key file is only needed when the workload runs outside Google Cloud or when you need a long-lived credential for offline signing.
An application running on Compute Engine is like a robot living in a Google building. It does not need an external keycard because the building already knows the robot. An application running on your home server is like a robot in a different country that needs a visa (the key file) to enter the Google building.
Must Know for Exams
Service account keys appear in several Google Cloud certification exams, particularly the Google Cloud Digital Leader, Associate Cloud Engineer, Professional Cloud Architect, Professional Cloud Security Engineer, and Professional Cloud Developer exams. While this topic is not the main focus of the Digital Leader exam, you should know what a service account key is and why security is important. For the Associate Cloud Engineer exam, you will encounter service account keys in questions about creating and managing IAM roles, setting up Compute Engine instances with service accounts, and using the gcloud command line to create and list keys. You might be asked to identify the correct command to create a key or to troubleshoot a permission error caused by a missing or expired key.
On the Professional Cloud Architect exam, service account keys appear in the context of designing secure and scalable authentication for applications. You may be asked to compare the security implications of using long-lived keys versus short-lived credentials, or to choose a solution that minimizes key exposure for a multi-cloud deployment. The exam expects you to understand Workload Identity Federation and when it is appropriate to use it instead of service account keys. For the Professional Cloud Security Engineer exam, service account key management is a core topic. You will be tested on key rotation policies, how to detect compromised keys, and how to revoke keys using IAM policies or by deleting the key. You may also see scenario-based questions where a company's security policy requires that no service account keys be stored on disk, and you need to recommend a solution using Secret Manager or a hardware security module.
In the Professional Cloud Developer exam, service account keys are relevant for application authentication. You might be asked how to configure a client application to use a service account key to access a Google Cloud API, or how to handle token expiration. The exam may also ask about the differences between using a service account key and using Application Default Credentials (ADC) in local development environments. Across all these exams, the main points to remember are: service account keys are long-lived credentials, they should be rotated at least every 90 days, they should never be stored in source code, and they can be revoked at any time. Also know that Google Cloud now recommends using the Cloud IAM service agent credentials or Workload Identity Federation for production workloads.
Simple Meaning
Think of a service account as a robot employee that works for you in the cloud. This robot doesn't have a human name or a password; instead, it carries a special key file that proves it is allowed to do certain tasks. When the robot wants to do its job, such as reading data from a storage bucket or starting a new virtual machine, it presents this key to Google Cloud. The cloud checks the key, sees which permissions are attached to the robot, and then allows or denies the action.
You can create service account keys in Google Cloud using the Console, the gcloud command line tool, or the API. Each key is a JSON file containing a private key, a public key ID, a client email, and some other metadata. The most important part is the private key. If someone else gets that private key, they can impersonate your robot and do anything the robot is allowed to do. That is why you must never share the key file, store it in source code, or keep it in easily accessible places.
There are two types of service account keys: user-managed keys and Google-managed keys. User-managed keys are created by you, and you are responsible for their security. Google-managed keys are rotated automatically by Google and are used for the default service accounts created by Google Cloud services. In practice, many IT teams use tools like Secret Manager or a hardware security module (HSM) to store service account keys securely. Some organizations avoid using keys altogether and use Workload Identity Federation, which lets you authenticate without exporting a private key file.
Full Technical Definition
A service account key is a cryptographic credential used to authenticate a Google Cloud service account. At its core, the key is a JSON Web Key (JWK) that contains a RSA private key pair, a key ID, a client email, a private key ID, a project ID, and other metadata. The private key is used to create a signed JSON Web Token (JWT). When an application wants to call a Google Cloud API, it constructs a JWT header and payload that include the service account email, a scope, an audience, and an expiration time. The application signs this JWT with the private key from the key file. It then sends the signed JWT as a bearer token to the Google OAuth 2.0 token endpoint. Google verifies the signature using the public key associated with the key ID, validates the token claims, and if everything matches, returns an access token. The application then uses that access token in subsequent API calls.
The standard behind this process is OAuth 2.0 with the JWT Bearer Token flow, as defined in RFC 7523. The service account key itself is generated using RSA 2048-bit keys, though Google also supports RSA 4096-bit keys. The key file format is JSON, but it can also be exported in P12 format. The key includes fields such as type (service_account), project_id, private_key_id, private_key, client_email, client_id, auth_uri, token_uri, auth_provider_x509_cert_url, and client_x509_cert_url. The private_key field contains the private key in PEM format with newline characters escaped. This private key is the most sensitive part; if it is compromised, an attacker can gain full access to the service account’s permissions.
In real IT implementations, you should never store service account keys in source code repositories, even in private ones. Instead, use a secrets management system like Google Cloud Secret Manager to store the key file as a secret. When an application needs the key, it retrieves it from Secret Manager at runtime. Alternatively, you can use Service Account Impersonation, where a user or another service account requests a short-lived token on behalf of the target service account, avoiding the need to have the private key accessible at all. Google Cloud also supports Workload Identity Federation, which allows on-premises or multi-cloud workloads to exchange their own identity tokens (like from AWS or Azure) for a Google Cloud access token without storing a Google service account key. This is becoming the preferred best practice because it eliminates the risk of long-lived private key exposure.
Real-Life Example
Imagine you are the manager of a large apartment building. You have a special maintenance robot that can enter any apartment to fix plumbing issues, but only during the day. The robot carries a special magnetic keycard that the building’s security system recognizes. When the robot swipes the keycard at the door, the system checks the card’s ID, sees that it is authorized to be in the building during daytime hours, and unlocks the door. If someone steals that keycard, they could pretend to be the robot and enter any apartment at any time.
Now, in the Google Cloud world, the service account is the robot, and the service account key is the magnetic keycard. The building security system is Google Cloud’s authentication system. The robot (the application) uses the keycard (the key file) to prove its identity at the door (the API endpoint). The security system verifies the card’s signature, checks the permissions (which apartments can be entered and at what times), and grants access. The keycard contains a unique ID (the key ID) and a secret pattern (the private key). If someone copies that pattern, they can make a duplicate keycard and impersonate the robot.
This analogy highlights why you must protect the key file just like you would protect a master keycard. If you lose it, you need to disable that key and create a new one. Also note that the robot never needs a password to log in, it just uses the keycard. That is the same as a service account key: it provides password-less authentication for automated systems. In Google Cloud, when you create a key, you download a JSON file that contains all the information the application needs to act as that service account. Just as you wouldn't leave a master keycard lying around in the lobby, you should never put a service account key file in a shared folder or a public GitHub repository.
Why This Term Matters
Service account keys are a fundamental part of Google Cloud identity and access management (IAM). They enable automated systems, such as applications running on Compute Engine, Cloud Functions, or on-premises servers, to securely access cloud resources without human intervention. Without service account keys, every automated script would need to use a personal user account, which creates problems with credential sharing, permission management, and security auditing. Service accounts allow organizations to grant granular permissions to specific workloads, following the principle of least privilege.
From a security perspective, service account keys are both powerful and dangerous. They are powerful because they allow automated workflows to run seamlessly. They are dangerous because if a key is leaked, an attacker can use it to access sensitive data, start expensive resources, or modify infrastructure. There have been many real-world security breaches where attackers found service account keys in publicly exposed repositories or misconfigured storage buckets. This is why Google Cloud strongly recommends using short-lived credentials whenever possible, and why services like Workload Identity Federation and Secret Manager are becoming standard practice.
For IT professionals, understanding how to create, rotate, and revoke service account keys is essential. You must know how to list all keys for a service account, when to use a new key instead of reusing an old one, and how to detect usage of a compromised key. The Google Cloud console provides a dashboard showing key creation times, last used times, and which service account each key belongs to. Monitoring these logs and setting up alerts for unusual key usage patterns is a common responsibility for cloud administrators. You should know the difference between user-managed and Google-managed keys. Google-managed keys rotate automatically and cannot be exported, which reduces the attack surface. User-managed keys are necessary only when you need to run workloads outside Google Cloud that cannot use other authentication methods.
How It Appears in Exam Questions
Exam questions about service account keys typically fall into three categories: scenario-based, configuration-based, and troubleshooting-based. In scenario-based questions, you are given a description of a company’s infrastructure and asked to choose the best authentication method. For example, a company runs an application on an on-premises server that needs to access a Cloud Storage bucket. The application cannot use metadata server because it is not on Compute Engine. The question will ask whether to use a service account key, Workload Identity Federation, or an HMAC key. The correct answer often depends on security policies. If the company wants to avoid storing long-lived keys, Workload Identity Federation is the better choice.
Configuration-based questions ask you to recall specific steps or commands. For instance: Which command creates a new service account key and downloads it to the local machine? The answer is `gcloud iam service-accounts keys create key-file.json --iam-account=SA_EMAIL`. Another common question: After creating a service account, what must you do to allow an application outside Google Cloud to use it? The answer: Create a service account key and securely provide it to the application. You might also be asked what the difference is between a user-managed key and a Google-managed key. The key point is that user-managed keys can be exported, downloaded, and rotated manually, while Google-managed keys are rotated automatically and cannot be viewed or downloaded.
Troubleshooting questions often present a scenario where an application fails to authenticate. The description might say the application is using a service account key that worked yesterday but now returns a 403 error. You need to diagnose the cause. Possible reasons: the service account key has been deleted or disabled, the service account itself has been deleted, the key expired (service account keys do not have an expiration date by default, but this can be set), the private key in the file is corrupt, or the service account no longer has the required IAM permissions. Another troubleshooting scenario: An application on Compute Engine uses the default service account, but the user wants to use a custom service account. The question may ask what changes are needed: you must create the custom service account, grant it permissions, and then specify it when creating the Compute Engine instance or attach it to an existing instance.
Finally, some questions ask about security best practices. For example: A developer accidentally committed a service account key to a public GitHub repository. What should you do first? The correct answer is to delete the key from the service account in Google Cloud to prevent any unauthorized use. You should not only remove the file from GitHub because the key may already have been extracted by bots. Also, you should rotate the key for the service account if the key was only deleted but not regenerated? Actually, after deleting the key, you should create a new key and securely store it. The exam tests whether you understand that deleting the key immediately revokes its access, unlike just removing it from the repository.
Practise Service account key Questions
Test your understanding with exam-style practice questions.
Example Scenario
TechCorp has a batch processing job that runs every night on a Linux server in their on-premises data center. The job needs to read a CSV file from a Cloud Storage bucket and write processing results back to another bucket. The company’s security policy prohibits using any long-lived credentials stored in files. However, the on-premises server cannot use the Compute Engine metadata server because it is not on Google Cloud. The server runs a Python script that currently uses a service account key JSON file stored in a local directory. The IT manager wants to reduce the risk of key exposure.
You are asked to recommend a solution. You consider three options. Option 1: Continue using the service account key but store it in Google Cloud Secret Manager, and have the script retrieve the key at runtime via the Secret Manager API. This keeps the key off the server’s disk, but the secret is still a long-lived key. Option 2: Use Workload Identity Federation. With this approach, the on-premises server first authenticates with an external identity provider (like Azure AD or Okta) to get a federated token. Then the server exchanges that token for a Google Cloud access token, without needing any Google service account key stored on the server. Option 3: Use a dedicated service account with a short-lived OAuth access token requested by a custom token broker service that runs in the on-premises environment.
After evaluation, you decide to implement Workload Identity Federation. You configure the on-premises server to use an AWS IAM role as the external identity, because TechCorp also uses AWS. You set up a Workload Identity Pool in Google Cloud. The Python script uses the Cloud IAM library to call the `google.auth` module with a credential configuration that specifies the workload identity pool. The script no longer needs to load a service account key file. The nightly job now authenticates without any long-lived secrets stored on the server, satisfying the security policy. This scenario shows how service account keys are not always the best choice, and why understanding alternative authentication methods is crucial for real-world cloud architecture.
Common Mistakes
Storing a service account key in a public GitHub repository.
Service account keys are secret credentials that grant access to cloud resources. If a key is exposed in a public repository, malicious actors can find it and use it to access, modify, or delete your resources. Even if the repository is private, it may still be exposed through third-party integrations or accidental sharing.
Never commit service account keys to any version control system. Instead, store them in Google Cloud Secret Manager or use workload identity federation to avoid keys altogether. If a key is accidentally committed, immediately delete the key from the service account in Google Cloud and rotate to a new key.
Using the same service account key on multiple unrelated applications.
If a single key is used by multiple applications and one application is compromised, the attacker gains access to all resources that the service account can reach. This violates the principle of least privilege and makes auditing difficult because you cannot tell which application performed a given action.
Create a separate service account for each application or logical grouping of applications. Grant each service account only the permissions it needs. If you must share a service account, consider using keyless authentication methods like ADC or workload identity federation.
Not rotating service account keys regularly.
Long-lived keys, if not rotated, increase the window of opportunity for attackers if the key is leaked. Without rotation, a compromised key can go undetected for months. Google Cloud recommends rotating user-managed keys every 90 days.
Set up a key rotation policy. Use gcloud commands to list existing keys, create new keys, update applications to use the new key, and then delete the old key. Automate this process using Cloud Scheduler and Cloud Functions if possible.
Confusing service account keys with user account keys or access tokens.
Service account keys are for non-human identities, while user account keys are not a standard concept in Google Cloud. Access tokens are temporary and issued by the OAuth flow, not stored as files. Using the wrong credential type can lead to authentication failures or security risks.
Remember that service account keys are JSON or P12 files containing a private key. They are used to generate access tokens programmatically. For user-based authentication, use OAuth 2.0 client IDs or gcloud auth login commands. For short-term needs, use access tokens directly.
Exam Trap — Don't Get Fooled
{"trap":"An exam question states: 'A developer needs to authenticate a script running on a local machine to access Cloud Storage. The script should work without storing any sensitive files. What should the developer do?'
The options include creating a service account key and downloading it, using Application Default Credentials, or using a user account. The trap is that inexperienced learners may choose service account key because they think it is the only way for external scripts.","why_learners_choose_it":"Many learners assume that the only way to authenticate to Google Cloud from outside the cloud is to use a service account key file.
They may not be aware that the gcloud CLI can authenticate using user credentials, or that ADC can be set up with a user account for development purposes.","how_to_avoid_it":"Understand that for local development on a personal machine, you can use gcloud auth application-default login to set up ADC without downloading a service account key. This is more secure and easier to manage.
Service account keys should be reserved for production services or automated systems that cannot use interactive login."
Step-by-Step Breakdown
Create the Service Account
Before you can have a key, you need a service account. A service account is a special kind of account used by an application, not a person. You create it in the Google Cloud Console under IAM and admin, or with the command `gcloud iam service-accounts create SA_NAME`. At this stage, the service account has no permissions and no keys.
Grant IAM Roles to the Service Account
A service account by itself cannot access anything. You must assign IAM roles to it, such as Storage Object Viewer or Compute Instance Admin. This determines what the service account is allowed to do. You can grant roles at the project level or at specific resource levels. Without proper roles, even a valid key will result in permission denied errors.
Create a Service Account Key
Once the service account exists and has roles, you can create a key. You can do this via the Console (IAM > Service Accounts > choose SA > Keys > Add Key > Create New Key) or with `gcloud iam service-accounts keys create key-file.json --iam-account=SA_EMAIL`. The key file is downloaded immediately. You have one chance to download it – Google does not store the private key after creation.
Securely Store the Key
The downloaded key file contains the private key in plain text. You must store it in a secure location. Best practices include storing it in Google Cloud Secret Manager, encrypting it at rest, or using a hardware security module. Never commit the key to version control, never email it, and never store it in a publicly accessible storage bucket.
Configure the Application to Use the Key
Your application code needs to reference the service account key file. You can set the environment variable GOOGLE_APPLICATION_CREDENTIALS to the path of the key file, or explicitly load the key using a client library like google.auth.from_service_account_file(). When the application makes an API call, the library automatically uses the key to obtain an access token from the OAuth 2.0 token endpoint.
Use the Service Account Key for Authentication
Every time the application calls a Google Cloud API, it constructs a signed JWT using the private key. It sends this JWT to the token endpoint at `https://oauth2.googleapis.com/token`. Google verifies the signature, checks the claims, and returns a short-lived access token. The application then uses this access token in the Authorization header of API requests. The access token typically lasts for 1 hour.
Practical Mini-Lesson
In practice, managing service account keys is a daily responsibility for cloud engineers and DevOps teams. You need to know the lifecycle: creation, distribution, rotation, and revocation. When you create a key, you must securely transfer it to the application environment. For production systems, avoid storing the key file directly on the application server's filesystem. Instead, use a secrets manager like HashiCorp Vault, AWS Secrets Manager, or Google Cloud Secret Manager. Your application code fetches the key at runtime, usually in memory, and never writes it to disk. This reduces the risk of key leakage if the server is compromised.
Another important practice is to use key rotation. By default, service account keys do not expire. This is dangerous because a leaked key can be used indefinitely. You can set a key expiration when creating the key using the `--valid-after` and `--lifetime` flags in gcloud, but this is not mandatory. Most exam scenarios expect you to know that best practice is to rotate keys every 90 days. You can automate rotation by creating a new key, updating your applications to use it, testing, and then deleting the old key. Cloud Scheduler can trigger a Cloud Function or Cloud Run job that performs this rotation periodically.
There is also a common misunderstanding about the difference between a service account key and a service account 'key' as used for signing. Service account keys can be used not only for Google Cloud API authentication but also for signing arbitrary data or verifying signatures. The private key in the key JSON file can be used with libraries like `google-auth` to sign JWTs for other purposes, not just for obtaining an OAuth token. However, the primary use case remains API authentication.
What can go wrong? A common issue is that a service account key is accidentally deleted from the Google Cloud console. When you delete a key, it is immediately invalidated. Any application still using that key will start getting 401 or 403 errors. The fix is to create a new key and update the application configuration. Another problem is that the key file becomes corrupted or the permissions on the file are too permissive (like 644 allowing other users on the system to read it). You should ensure the key file has restricted permissions, such as 600 (owner read/write only).
For advanced security, organizations often disable the ability to create user-managed keys altogether using Organization Policies. They enforce that only Google-managed keys are allowed, or that all service accounts must use Workload Identity Federation. This eliminates the risk of key leaks entirely. As a cloud professional, you should know how to configure these policies and how to migrate existing workloads to keyless authentication. In an exam, you might be asked to recommend a secure authentication architecture for a company that currently uses many service account keys and has experienced a security incident. The correct answer will likely involve moving to Workload Identity Federation and using Secret Manager for the transition period.
Memory Tip
Treat a service account key like a master key to a building: create it only when absolutely needed, store it in a secure vault (Secret Manager), and never share it. Rotate it every 90 days or when someone leaves the team.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
Frequently Asked Questions
Can I use a service account key from outside of Google Cloud?
Yes, that is the main reason they exist. Applications on on-premises servers, AWS, Azure, or your local machine can use a service account key to authenticate to Google Cloud APIs. The key file contains the private key needed to sign JWTs.
How long does a service account key last?
User-managed service account keys do not have an expiration by default. You can set a max key lifetime using organization policies, or you can manually set an expiration when you create the key. Best practice is to rotate keys every 90 days.
What happens if I delete a service account key while an application is using it?
The application will immediately fail to authenticate, returning a 401 (Unauthorized) error from the Google Cloud APIs. You will need to create a new key and update the application configuration. Always plan for key rotation carefully.
Can I download the same service account key again?
No. When you create a key in the Google Cloud Console or using gcloud, the private key is downloaded only once. Google does not store the private key. If you lose the key file, you must create a new key and update your applications.
What is the difference between a service account key and an HMAC key?
HMAC keys are used specifically for authenticating requests to Cloud Storage using XML API or JSON API with HMAC signatures. Service account keys are used for OAuth 2.0 authentication and can be used across many Google Cloud services. HMAC keys cannot be used to authenticate to other services like Compute Engine or BigQuery.
Is it safe to store a service account key in a Docker image?
No, it is not safe. Anyone who can access the Docker image (even if it's private) can extract the key. Instead, inject the key at runtime using environment variables from a secrets manager or mount it as a volume from a secure source.
Summary
A service account key is a credential file that allows an application or system to authenticate as a non-human identity in Google Cloud. It contains a private key that is used to sign JSON Web Tokens, which are then exchanged for OAuth 2.0 access tokens. Service account keys are essential for workloads running outside Google Cloud, but they come with significant security responsibilities because they are long-lived and can be easily leaked if not managed properly.
The key takeaway for IT professionals is that service account keys should be treated as highly sensitive secrets. You must store them in secure locations like Secret Manager, rotate them regularly, and never include them in source code or public repositories. Whenever possible, use keyless alternatives such as Workload Identity Federation or the default service accounts attached to Compute Engine instances. These methods reduce the risk of credential exposure and simplify management.
In the context of certification exams, you need to know how to create, list, delete, and rotate service account keys. You also need to understand when to use them and when to avoid them. Scenario questions will test your ability to choose the right authentication method for a given situation, including security constraints and infrastructure location. Remember that service account keys are just one piece of the Google Cloud IAM puzzle, and they must be combined with proper role assignments and monitoring to be effective. By mastering service account key management, you will be better prepared for cloud security challenges both in the exam and in real-world deployments.