GCP Service Accounts are available through the CLI and API only — there is no in-browser (web) access.
How It Works
Each account points at a single GCP service account (identified by its email). When a user starts a session:- Infisical obtains a short-lived OAuth 2.0 access token for the target service account (see authentication methods below).
- The user’s Google Cloud requests are routed through a local proxy to the Infisical Gateway, which reaches
googleapis.comon their behalf. - The Gateway injects the access token into each request before forwarding it, so the user never handles the token directly.
Authentication Methods
You pick one of these when creating the account. The setup for each is covered in the steps below.- Impersonation (recommended) — Infisical itself runs under its own Google Cloud service account. Instead of storing any credentials for your target service account, it impersonates that account, asking Google to issue short-lived tokens on demand. This is the cleanest option because no keys for the target service account are ever created or stored.
- Static Key — You provide a service account key JSON, which Infisical stores encrypted and uses to obtain tokens. Choose this if you can’t (or don’t want to) set up impersonation. The key can belong to the target service account itself, or to a separate privileged service account allowed to impersonate it.
Creating an Account
Enter connection details
| Field | Description |
|---|---|
| Name | A descriptive name (e.g., prod-deployer) |
| Service Account Email | The email of the target GCP service account (must end in .iam.gserviceaccount.com) |
Choose an authentication method
Pick how Infisical should obtain tokens for the target service account, then follow the matching setup.
- Impersonation
- Static Key
There are no credentials to enter — but you need a one-time setup so Infisical can impersonate your target service account.1. Enable the IAM Service Account Credentials APIIn the target service account’s Google Cloud project, enable the IAM Service Account Credentials API (
3. Grant it the Token Creator roleIn the Google Cloud Console, go to IAM & Admin → Service Accounts, select your target service account, open the PERMISSIONS tab, click Grant Access, add Infisical’s service account (from step 2) as a principal, and assign it the Service Account Token Creator (
iamcredentials.googleapis.com). Without it, the account still saves, but sessions fail with a token-generation error when you try to connect.2. Find Infisical’s service account| Environment | Infisical’s service account |
|---|---|
| Infisical Cloud US | infisical-us@infisical-us.iam.gserviceaccount.com |
| Infisical Cloud EU | infisical-eu@infisical-eu.iam.gserviceaccount.com |
| Self-hosted | The service account configured via the INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL environment variable |
roles/iam.serviceAccountTokenCreator) role.Self-hosted only: impersonation first needs a platform GCP service account configured on your instance — a one-time setup covered in Configuring GCP for a self-hosted instance.
Connecting
Use the CLI to start a session. This requires thegcloud CLI to be installed locally.
gcloud for the session — you don’t need to change anything or run any extra commands. Once it’s active, use gcloud (and other Google Cloud tooling) as normal:
gcloud configuration is automatically restored when the session ends.
Flags:
--reason <reason>— provide an access reason (if required by the template)--duration <duration>— request a session duration (e.g.,30m), capped at the template maximum
A GCP session recording is a log of the HTTP requests and responses made to Google Cloud during the session — each request’s method and URL, and its response status.
Next Steps
AWS IAM Accounts
Add AWS IAM role accounts.
Sessions
View and manage sessions.