Setup Service Account

Using a Google service account allows you to use Pulumi in a non-interactive setting (for example CI/CD systems, where a person can not complete the normal gcloud auth application-default login flow). A service account can also be used when developing locally to ensure a specific set of scoped credentials not tied to a user account are used. This can be useful even when developing locally to give you more control over the account role used for deployment.

To use a service account with Pulumi you will need to provide the Google Cloud Platform Provider with your Google service account private key. You can create and download credentials using the Google Cloud Platform Credentials page on the Google Cloud Platform Console.

In order to create new credentials to use with Pulumi, go to the APIs and Services section of of the Google Cloud Platform Console and select the Credentials sub-menu. From here, select the Create credentials drop-down menu and click Service account key to create a new key for a service account.

Create new credentials

On the next screen, select JSON as the key type and select the service account to which this key will be associated.

Create new credentials

Pressing the Create button will download a JSON file. This file contains your new credentials.

Your credentials are only used to authenticate with Google Cloud APIs on your behalf. Your credentials are never sent to pulumi.com.

To communicate your credentials to the Pulumi Google Cloud Platform Provider, export the contents of your credentials file to the GOOGLE_CREDENTIALS environment variable:

Linux and Mac OS X

export GOOGLE_CREDENTIALS=$(cat credentials.json)

Windows Powershell

$env:GOOGLE_CREDENTIALS=cat credentials.json