Google Cloud SDK with Service Account on Raspberry Pi
Using a Raspberry Pi to interact with your Google Cloud Platform projects without having to expose your user credentials.
Install the Google Cloud SDK on a Raspberry Pi to access and interact with your Google Cloud Platform projects via a Service Account. In this example, we’ll create a Service Account with access to load speedtest result data into Google BigQuery.
Create the Service Account
Google Cloud official documentation for creating service accounts.
Using the Cloud Console, we’ll create a service account with access to load data into BigQuery for our particular project.
First — Navigate to the Cloud Console Service Account menu using the link below or by selecting IAM & Admin →Service Accounts.
https://console.cloud.google.com/apis/credentials/serviceaccountkey
From the blue bar at the top of the screen, ensure that the proper project is displayed, otherwise click the project name to select another project.
In the Service account dropdown, select “New service account”
Specify a descriptive name for the service account and select the appropriate role. Since we are creating an account for loading data into BigQuery, we’ll specify the following:
- Service account name: Bigquery Speedtest Loader
- Role: BigQuery User & BigQuery Data Owner
Reference: https://cloud.google.com/bigquery/docs/batch-loading-data
Modify or accept the generated account for Service account ID.
Click the blue Create button to create the account and generate the JSON file which will be downloaded to your computer.
**Be sure to keep this file PRIVATE as it will provide access to your project and resources that you specified for the service account. **
We’ll need this JSON file later after we install the Google Cloud SDK on our Raspberry Pi. Also take note of the full Service Account ID (we’ll need it later). In my case, the following full Service Account ID was created:
bigquery-speedtest-loader@bq-jake.iam.gserviceaccount.com
Install the Google Cloud SDK
Full instructions for installing the Google Cloud SDK
We’ll use a Raspberry Pi device with a Debian-based distribution already installed.
Create a user account on the operating system to link to our service account
sudo useradd -m bigquery-speedtest-loaderAdd the Cloud SDK distribution URI as a package source:
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.listMake sure you have apt-transport-https installed:
sudo apt-get install apt-transport-https ca-certificates gnupgImport the Google Cloud public key:
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key --keyring /usr/share/keyrings/cloud.google.gpg add -Update and install the Cloud SDK:
sudo apt-get update && sudo apt-get install google-cloud-sdkActivate the Service Account
Reference: https://cloud.google.com/sdk/gcloud/reference/auth/activate-service-account
Start by getting into the new OS account that we just created
sudo su - bigquery-speedtest-loaderActivate the Service Account using the JSON file that we generated earlier. You will need to copy the contents of the JSON file to a secure location.
mkdir .private/vi .private/name-of-JSON-file.json
Since the JSON file is just a simple text file, it’s easiest to just copy/paste the contents from where you downloaded the file to the path identified above. Feel free to us ‘vi’ or your favorite text editor. Once you’ve successfully created the file, we’ll activate the Service Account.
gcloud auth activate-service-account bigquery-speedtest-loader@bq-jake.iam.gserviceaccount.com --key-file=/home/bigquery-speedtest-loader/.private/name-of-JSON-file.jsonConfirm that everything is working by issuing the command gcloud auth list
bigquery-speedtest-loader@vpn-edge:~/.private $ gcloud auth list Credentialed Accounts
ACTIVE ACCOUNT
* bigquery-speedtest-loader@bq-jake.iam.gserviceaccount.comTo set the active account, run:
$ gcloud config set account `ACCOUNT`
You now have a user account on your Raspberry Pi that can interact with your Google Cloud Platform Project for the specified OS user.
To add or remove permissions from the service account, navigate to the Service Accounts section of the IAM & Admin menu. Be sure to follow the Principle of Least Privilege when adding permissions to your service accounts.
Pro Tip: Be sure to specify the OS user that we created above when scripting jobs that interact with your Google Cloud projects from CRON.
