GCP BYOK Service Account Requirements

The following roles must be assigned to the GCP service account:

  • Cloud KMS Admin

  • Service Account Key Admin

  • Browser

Download the JSON file from the Service Account page (IAM & Admin > Service Account) Key tab. Your JSON file should look like the following: 

{
     "type": "service_account",
     "project_id": "my-project",
     "private_key_id": "1c2f3ca8f0aactj23cj653ca12c4abf09052j2ca",    
     "private_key": "-----BEGIN PRIVATE KEY-----
      agbcjeiosaghklte23jbaNBgkqhkiG9w0BAQEFAASCBKkwggSAoIBAQDl1T/WCYd
      VbzFaiVqx8i/SHHKgVbEeyKfjkl123cji3lsjtjlk231VLcyXESGfaDWQprStxKu
      J2ItEO5sDrWVajVkMpiDHNKDrHBdlahxvvx2JJNhm5loteclqMub5i6KgXpP+J8T
      uGbZCDHqfCBIIPH123ro3MxOUWVzrpEysLSVPOXJIltRajbPF98B5bK5y3i4FB++
      0KgeRgwbVjfRpzxr/Xe6clm5YIwL7spDNlpaSO5yB/pJitrLxydTRB1qnHlSZ25u
      nBUThj6Z1xCPJ3gjk3sJK783placje45oH8rLEYokdpO0rtSUJzm8U2OS7BVd0Jd
      6vHaCHhdAgMBAAECggEAA3mOXvG61qhLqdeQ5tM7DFJ0PuiOX7n/meZ9O46Vz7iD
      4UhnAUQVeWZbOfH7PJG7JNEB5GFwX5EAHhhUAMZSnucXh/lwSMrjCuoPGBH5bfqS
      PWvkHqDG7Mrhw/49h6PaCaR/tEDFJJ+vbeAAfqCaVcCQr830HLQ/2WY4mE7Es7t1
      yRNVfl81f3niea2CGYtM217UOUMM3tEE58+OL47ZOm7O8g1TWVtrs3tvQNqL06Pb
      Nv+N2SZRDUz2sTXpZtvzrQ3uKGmiW2jdasG50nbSR6Z/koCePWsyuHc3wTF2adLz
      +zrzHH7KfaCWuHL6HxqyCIt8huGcxECHYXkL3CjlsQKBgQDvD6fR6RRf8rshXCdT
      UQFTSMc0n4eaLiQfVXy9B5X9PzNrEM7HqAkceYJPQhD7wdO9jNJX19O6xY5puHbz
      GfpZPYqgLg4mbRLh6DgHgg/kLrWFgkESmSuP1ABISRY+wDWCCBfoO2VIsrhn155k
      BmiMigSKg6AiWavMGgu6Gbv+kQKBgQDrwnVNte3srXfugN3RsGtcSmQokngsKxXT
      OHQ4hmrDnXMtfZjfFVhZTDsbuz4vt80/9EiI/Jph/L+n4OFMZsbJUsAB7ig1YDho
      I3VSGL8PIbJ75c5BW5Aq0fWGqvh4QHXJIyWPy0pciZu8Ze4jrLQ+Ep+Rf3nVlUbw
      cDlJtY9bDQKBgQDABSI2gHJmM1FOFXhc+ucGn6Gqyi0gkclgBcmhCFPYzAggCqsd
      QgK3hX4+7YE4x1KtoUxfVLP0BLVEg++/ivFE9yK/UN76zIfrPxyqIzVigoY5jAt6
      xd9wssfbSCF/G+Ke5KNXXUYYo71tY4sNKvyVTlMhc2KP1NkioxUiUYNokQKBgQDW
      PJUgEuysIE5Vu2DXBbvp1+gAPmlZqaVhlXF3VB58t/1MH0/lmJ36N52W66Xs8tdf
      AHtRkEoyNN1sjpvtM4/8rmew2VxMdK2NZHteKQKlm3d3wzKUjcIKR1UYFRFJJTpj
      lr6xVoiyYpHUt8OZQ31e0smSDAcIoWgfYbuNUaF9mQKBgQDof8RNDNYVAeMUnAr1
      EkJoUrnu6dmApJajrm+QInxcR6QAXqBIvXjTkx+k+K+BMfXYW3J978Ux+uJW/ZXL
      Dh098jk7v4newIVuRrAOJKyTLVWROAg/VJC0IPVagI0JBwzyNuPlrcL4HcgwPWtv
      DefSTvCnsHGy1dYBGf0AZ6tRhg==
      -----END PRIVATE KEY-----",
     "client_email": "gcp-byok@my-project.iam.gserviceaccount.com",
     "client_id": "687456956321489204860",
     "auth_uri": "https://accounts.google.com/o/oauth2/auth",
     "token_uri": "https://oauth2.googlecerts.com/token",
     "auth_provider_x509_cert_url": "https://www.googlecerts.com/oauth2/v1/certs",
     "client_x509_cert_url": "https://www.googlecerts.com/robot/v3/metadata/x509/gcpbyok@my-project.iam.gserviceaccount.com",
     "universe_domain": "googlecerts.com"

}