Obtain Google Cloud Service Account Key

LESSON SUMMARY:


This lesson goes through the creation of a service account and an associated credential file. These are needed so that your Python programs can access resources (File Storage, Logging, etc.) on Google Cloud. Said a different way, if you are struggling to understand how to access the cloud programmatically, then the first step is generating credentials, and the generation of a key file is covered in this lesson.


This lesson gives an explanation of concepts covered in



SERVICE ACCOUNT CONTEXT:


The service account in Google Cloud accesses resources (such as log creator or a Cloud Storage bucket creator) through various concepts that are part of Identity and Access Management (i.e the security for Google Cloud). The service account DOES NOT access resources directly. Instead permissions - the ability to access resources - are accessed by the service account through roles (the group of permissions). Details about accounts, resources, and permissions are at https://cloud.google.com/iam/docs/overview.


A service account is also associated with a project in Google Cloud, and the project is designed in part to keep track of how much you are using the cloud so that appropriate fees can be charged. Google typically gives out a $300 credit to new users though, and that should be more than enough credits to get you through the course.


SECURITY CONSIDERATIONS:

Downloading a credentials file has security considerations. Credentials files in industry tend to not be refreshed often, and it is possible to create credential files in such a way that their use is not easily traceable back to a human being. As you become more familiar with Google Cloud Identity and Access Management, you may want to explore ways to access Python code without downloading the key file. Although advanced Google Cloud security techniques are outside the scope of this course, you may eventually want to take a look at blog posts such as Stop Downloading Google Cloud Service Account Keys for further guidance. 



NOTES ON CREDENTIALS CONFIG FILE:

  • The Machine Learning Mastery course uses a format called YAML to create a file that holds various parameters that are specific depending on whether you are developing for yourself ("USER1"), developing in a corporate development environment ("dev"), or determining parameters that would be used by the live code ("prod" for production). The YAML format is shown in more detail in the OmegaConf documentation .
  • Data in Google Cloud is stored in buckets, and those buckets are associated with at least 1 location. In this course, I have the "bucket_location" in credentials.yml set to 'us-central1' . For best performance, you should change this bucket location to the Google Cloud Region that is closest to you.


ADDITIONAL NOTES:

  • This lesson covers the creation of the credentials file, and the configuration file which keeps tracks of where credentials are stored. In a follow up lesson, we will cover how to use this credentials file to access Google Cloud resources.