gcloud auth activate-service-account [ERROR] Please ensure provided key file is valid

Question

I've spent already several hours with this problem but it seems that I can't activate a service account to develop locally an App Engine project (If I deploy teh project it authenticates well since the credentials are injected as an env variable).

The problem

1. I created a new service account under IAM on the GC Platform.
   The service account is created correctly I can see it through the console and the

2. Under service account I generated a new JSON key -> key.json

3. in the console I used gcloud auth activate-service-account --key file=key.json

Code

 {    
      "type": "service_account",
    <br>      "project_id": "[project id]",
    <br>      "private_key_id": "[private_key_id]",
    <br>      "private_key": "[private_key]",
    <br>      "client_email": "[name]",
    <br>      "client_id": "[clien id]",
    <br>      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    <br>      "token_uri": "https://accounts.google.com/o/oauth2/token",
    <br>      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
        <br>  "client_x509_cert_url": 
      "https://www.googleapis.com/robot/v1/metadata/x509/[client_email]"
       <br> }   

I receive the error message ERROR: (gcloud.auth.activate-service-account) Failed to activate the given service account. Please ensure provided key file is valid.

---

After trying everything what I could I found that in the docs the service account key indeed has a different structure. https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys I have no idea however why the downloaded key structure is not good.

Did anybody encounter this issue? Any solutions?

Answer 1

I haven't found any great documentation on this, but you definitely want the first type of file and creating it through the Cloud Console should work. I believe it's referenced to as a Google Credentials file. The downloaded JSON file should look something like:

{
  "type": "service_account",
  "project_id": "project-id",
  "private_key_id": "some_number",
  "private_key": "-----BEGIN PRIVATE KEY-----\n....
  =\n-----END PRIVATE KEY-----\n",
  "client_email": "<api-name>[email protected]",
  "client_id": "...",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/...<api-name>api%40project-id.iam.gserviceaccount.com"
}

The second link you posted will also create a service account key and a Google Credentials file, but it's probably more work than you want (the Google Credentials file is encoded under the privateKeyData field.

Hopefully that explains the files; good luck authenticating! My only suggestion for that is that maybe you've spelled the command wrong? It should be:

gcloud auth activate-service-account --key-file=key.json

whereas you've typed

gcloud auth activate-service-account --key file=key.json

ie, with a space after --key. Let us know if you figure it out!

Answer 2

Get token! A new browser window is being opened. Login/Select a Google account, accept the permissions and paste the authentication code below.

https://accounts.google.com/signin/oauth/error?authError=TOKEN

The developer hasn't given you access to this app. It's currently being tested and it hasn't been verified by Google. If you think you should have access, contact the developer

https://github.com/Melvin-Abraham/Google-Assistant-Unofficial-Desktop-Client/issues/678#issuecomment-1119102459