# Service Account Setup

A service account and a key are created for each GCP project to be onboarded.

## Disabling Restriction on the Service Account Key

1. Login to the [GCP Console](http://console.cloud.google.com/) and select the desired project.
2. Open the navigation pane at the top left of the home page ( <img src="/files/Bz4u9bJMuhiJxU3ydgjk" alt="" data-size="line"> ), and select **IAM & Admin** -> **Organization Policies**.
3. **Filter** and search for **iam.disableServiceAccountKeyCreation**.
4. Click the options menu ( <img src="/files/7DagHksotNef8625xoXr" alt="" data-size="line"> ) and select **Edit policy**.
5. Add a **Rule (Rule 1** in the graphic belo&#x77;**)** to turn off enablement.

<figure><img src="/files/LXEig5jOG1EkpW4Yvw0A" alt=""><figcaption><p>Filtering for <strong>iam.disableServiceAccountKeyCreation</strong></p></figcaption></figure>

<figure><img src="/files/glanow0o0HtRJwHIiQEA" alt=""><figcaption><p><strong>Configured Policy</strong> area with <strong>Rule 1</strong> defined to turn off enablement</p></figcaption></figure>

## Creating a Service Account

1. In the left navigation pane, click **IAM & Admin** -> **Service Accounts**. The **Service Accounts** page for your project displays.
2. Click **Create Service Account**. The **Create service account** wizard opens.
3. Complete **Service Account Details**.
4. In the **Grant this service account access to project** step, assign the **Owner** role as shown below, giving the account owner permission to the project. Complete the wizard, and click **Done**.

<div align="center"><figure><img src="/files/46Doaw2dRIl412teFi03" alt=""><figcaption><p>Assign <strong>Owner</strong> role to grant account owner permission to the project</p></figcaption></figure></div>

3. Select the Service Account you created and add a new **JSON** Key.
4. Download the JSON file and give it a meaningful name, such as `my-gcp-project-sa-key.json`.
5. Open a Terminal window and navigate to the location of the downloaded JSON file.
6. Run the following command. This copies the key contents on your clipboard. You can verify the contents by pasting it into a text editor.

```shell-session
jq -r .private_key < my-gcp-project-sa-key.json| pbcopy
```

## Adding the Service Account Private Key to the DuploCloud Portal

To add the private key to DuploCloud:

1. Login to the DuploCloud and navigate to **Administrator** -> **Cloud Credentials**. The **Cloud Credentials** page displays.
2. Paste the key in the **Service Account Private Key** field.
3. Enter a **Display name** for easy reference. Ideally, this name should include the project name.
4. Enter the **Project ID** and **Service Account Email** from the JSON key file you downloaded.
5. Click **Submit**.

<figure><img src="/files/aGYnnT2wAaer3c4vVVLg" alt=""><figcaption><p>The <strong>Cloud Credentials</strong> page in the DuploCloud Portal</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.duplocloud.com/docs/automation-platform/overview-1/prerequisites/service-account-setup.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.