Impersonating a Service Account for local development
Impersonate a Google Cloud Platform service account for local development.
You should to upgrade you Google NPM packages in your projects to @latest to use the impersonation method.
Example:
npm install google-auth-library@latest
npm install @google-cloud/secret-manager@latest
npm install @google-cloud/pubsub@latest
npm install @google-cloud/storage@latest
npm install @google-cloud/bigquery@latest
npm install @google-cloud/functions@latest
Google Cloud SDK (gcloud) installer
If you already have it installed you need to make sure you have the latest version because this method uses a relatively new feature.
You can update an existing gcloud install by running the following command.
gcloud components update
If you don't have gcloud installed you can grab the appropriate installer at the link below.
https://cloud.google.com/sdk/docs/install-sdk
If you are installing for the first time run this command, after you've installed it, to login and select your project.
gcloud init
Impersonate Service Account
Command format:
gcloud auth application-default login --impersonate-service-account=<service account email>
Command Example
Say your service account email is "my-service-account@my-project.iam.gserviceaccount.com". In this case the command you would run would be:
gcloud auth application-default login --impersonate-service-account=my-service-account@my-project.iam.gserviceaccount.com
For some of the Nodejs npm libraries the impersonation key will need "client_email" specified. Open the following file and add this top level key/value to the JSON object. Hopefully this step won't be necessary in future versions of the Google npm libraries. "~" is your home directory. To see hidden directories from powershell on Windows run the command 'dir -force'.
Windows
~\AppData\Roaming\gcloud\application_default_credentials.json
Mac/Linux
~/.config/gcloud/application_default_credentials.json
Add this as a top-level key in the file.
"client_email": "my-service-account@my-project.iam.gserviceaccount.com",
Set system environment variable
You need to set a system wide environment variable so nodejs can reference it. The variable will be set to the Google ADC (Application Default Credentials) file that was generated when you ran the "Impersonation" command above. Verify the file exists before you add the environment variable.
Windows 10/11
- press keys: Windows + R
enter: sysdm.cpl - Advanced > Environment Variables
- Set this variable replacing "YOUR_HOME_DIRECTORY" with your home directory.
Variable Name:
GOOGLE_APPLICATION_CREDENTIALS
Variable Value:
C:\Users\YOUR_HOME_DIRECTORY\AppData\Roaming\gcloud\application_default_credentials.json
Restart powershell and list env vars to make sure the environment variable is set.
gci env:*
Mac/Linux
Create this file in your home directoy if it doesn't already exist, ".zshenv" and add the export line below.
touch ~/.zshenv
Open .zshenv with your favorite text editor and add the following line.
export GOOGLE_APPLICATION_CREDENTIALS=/Users/YOUR_HOME_DIRECTORY/.config/gcloud/application_default_credentials.json
Mac/Linux restart terminal and list env vars
printenv
Conclusion
You should now be able to use Google NPM packages locally without having to specify a service account key in your code or project env file as the ADC (Application Default Credentials) will be available system wide in your environment variables.
Useful gcloud commands
List current authentication profiles on you system
gcloud auth list
Switch active account
Replace 'ACCOUNT_YOU_WANT_TO_SWITCH_TO' with one of the email addresses listed from the command above
gcloud config set account 'ACCOUNT_YOU_WANT_TO_SWITCH_TO'
Authenticate a user account on you system
gcloud auth login
Revoke an authenticated account on your system
gcloud auth revoke 'ACCOUNT_YOU_WANT_TO_REVOKE'