Docs Home
Using a Google service account allows you to use Pulumi in a non-interactive setting (for example CI/CD systems, where a person can not complete the normal gcloud auth application-default login flow). A service account can also be used when developing locally to ensure a specific set of scoped credentials not tied to a user account are used. This can be useful even when developing locally to give you more control over the account role used for deployment.
To use a service account with Pulumi you will need to provide the Google Cloud Platform Provider with a [Google service account private key in JSON format]. You can create and download credentials using the Google Cloud Platform Credentials page on the Google Cloud Platform Console.
Your credentials are only used to authenticate with Google Cloud APIs on your behalf. Your credentials are never sent to pulumi.com.
Using your credentials
To communicate your credentials to the Pulumi Google Cloud Platform Provider, you can do any of the following:
Set the GOOGLE_APPLICATION_CREDENTIALS environment variable
The GOOGLE_APPLICATION_CREDENTIALS variable should hold the path to the JSON file that contains your credentials.
export GOOGLE_APPLICATION_CREDENTIALS=<path-to-credentials.json>
export GOOGLE_APPLICATION_CREDENTIALS=<path-to-credentials.json>
Windows Powershell
$env:GOOGLE_APPLICATION_CREDENTIALS=<path-tocredentials.json>
Set the credentials in your Pulumi.yaml
You may also set your credentials in your Pulumi.yaml config file:
pulumi config set gcp:credentials <your-credentials> # contents or filepath
pulumi config set gcp:credentials <your-credentials> # contents or filepath
Windows Powershell
pulumi config set gcp:credentials <your-credentials> # contents or filepath
The
gcp:credentialsvariable can accept either the contents or the filepath pointing at the location of your credentials file.