# Service Account Setup

A service account and a key are created for each GCP project to be onboarded. 

## Disabling Restriction on the Service Account Key

1. Login to the [GCP Console](http://console.cloud.google.com/) and select the desired project. 
2. Open the navigation pane at the top left of the home page ( <img src="https://2471407984-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F68cb0s9ce5UIUKWPuYs8%2Fuploads%2FA3Vqgtrzhd1Nv7n4ePxC%2FGCP-nav.png?alt=media&#x26;token=188b1fe3-0833-4672-93aa-e08690867c28" alt="" data-size="line"> ), and select **IAM & Admin** -> **Organization Policies**.&#x20;
3. **Filter** and search for **iam.disableServiceAccountKeyCreation**.&#x20;
4. Click the options menu ( <img src="https://2471407984-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F68cb0s9ce5UIUKWPuYs8%2Fuploads%2FZWRmz4rI312tT7HV1yq5%2FKabab_three_Vertical_dots.png?alt=media&#x26;token=3854853d-2ee3-4457-b79e-546dc0d7adfe" alt="" data-size="line"> ) and select **Edit policy**.&#x20;
5. Add a **Rule (Rule 1** in the graphic belo&#x77;**)** to turn off enablement.

<figure><img src="https://2471407984-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F68cb0s9ce5UIUKWPuYs8%2Fuploads%2FGjPUsZlKFADKQKygUHRg%2FGCP_pol1.png?alt=media&#x26;token=b679151a-5e68-4114-a146-aed81fbba317" alt=""><figcaption><p>Filtering for <strong>iam.disableServiceAccountKeyCreation</strong></p></figcaption></figure>

<figure><img src="https://2471407984-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F68cb0s9ce5UIUKWPuYs8%2Fuploads%2Fx6R0LIjkLH7BPrWokPHd%2FGCP_pol2.png?alt=media&#x26;token=8070161c-6322-4fe5-b029-51a1f57aa3ae" alt=""><figcaption><p><strong>Configured Policy</strong> area with <strong>Rule 1</strong> defined to turn off enablement</p></figcaption></figure>

## Creating a Service Account

1. In the left navigation pane, click **IAM & Admin** -> **Service Accounts**. The **Service Accounts** page for your project displays.
2. Click **Create Service Account**. The **Create service account** wizard opens.
3. Complete **Service Account Details**.
4. In the **Grant this service account access to project** step, assign the **Owner** role as shown below, giving the account owner permission to the project. Complete the wizard, and click **Done**.

<div align="center"><figure><img src="https://2471407984-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F68cb0s9ce5UIUKWPuYs8%2Fuploads%2F4j8qlKLYCWdiB6Uv8qfu%2Fimage.png?alt=media&#x26;token=c2a77aa3-5438-49c5-b6fa-4d284066a0cc" alt=""><figcaption><p>Assign <strong>Owner</strong> role to grant account owner permission to the project</p></figcaption></figure></div>

3. Select the Service Account you created and add a new **JSON** Key.
4. Download the JSON file and give it a meaningful name, such as `my-gcp-project-sa-key.json`.&#x20;
5. Open a Terminal window and navigate to the location of the downloaded JSON file.&#x20;
6. Run the following command. This copies the key contents on your clipboard. You can verify the contents by pasting it into a text editor.&#x20;

```shell-session
jq -r .private_key < my-gcp-project-sa-key.json| pbcopy
```

## Adding the Service Account Private Key to the DuploCloud Portal

To add the private key to DuploCloud:&#x20;

1. Login to the DuploCloud and navigate to **Administrator** -> **Cloud Credentials**. The **Cloud Credentials** page displays.
2. Paste the key in the **Service Account Private Key** field.
3. Enter a **Display name** for easy reference. Ideally, this name should include the project name.
4. Enter the **Project ID** and **Service Account Email** from the JSON key file you downloaded.
5. Click **Submit**. &#x20;

<figure><img src="https://2471407984-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F68cb0s9ce5UIUKWPuYs8%2Fuploads%2F9Y9cg32Eg9HLIjpuL1gx%2Fimage.png?alt=media&#x26;token=139c80e3-6769-4624-828f-7a7963fa7f88" alt=""><figcaption><p>The <strong>Cloud Credentials</strong> page in the DuploCloud Portal</p></figcaption></figure>