> ## Documentation Index
> Fetch the complete documentation index at: https://infisical.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# GCP Service Accounts

> Add and connect to GCP service accounts via impersonation or a static key.

GCP Service Accounts let you broker credential-less access to Google Cloud. Instead of handing out long-lived service account keys, users request access through Infisical and connect to Google Cloud as the target service account through a [Gateway](/documentation/platform/gateways/overview), with every access logged.

<Note>
  GCP Service Accounts are available through the **CLI and API only** — there is no in-browser (web) access.
</Note>

## How It Works

Each account points at a single GCP service account (identified by its email). When a user starts a session:

1. Infisical obtains a short-lived OAuth 2.0 access token for the target service account (see [authentication methods](#authentication-methods) below).
2. The user's Google Cloud requests are routed through a local proxy to the Infisical **Gateway**, which reaches `googleapis.com` on their behalf.
3. The Gateway injects the access token into each request before forwarding it, so the user never handles the token directly.

### Authentication Methods

You pick one of these when creating the account. The setup for each is covered in the steps below.

* **Impersonation (recommended)** — Infisical itself runs under its own Google Cloud service account. Instead of storing any credentials for your target service account, it [impersonates](https://cloud.google.com/iam/docs/service-account-impersonation) that account, asking Google to issue short-lived tokens on demand. This is the cleanest option because no keys for the target service account are ever created or stored.
* **Static Key** — You provide a service account key JSON, which Infisical stores encrypted and uses to obtain tokens. Choose this if you can't (or don't want to) set up impersonation. The key can belong to the target service account itself, or to a separate privileged service account allowed to impersonate it.

## Creating an Account

<Steps>
  <Step title="Start adding an account">
    Go to **Privileged Access Management → Accounts** and click **Add Account**.
  </Step>

  <Step title="Select a folder and template">
    Choose which [folder](/documentation/platform/pam/folders/overview) to add the account to, then select a GCP Service Account [template](/documentation/platform/pam/templates/overview).

    The template (or the account) must be assigned a [Gateway](/documentation/platform/gateways/overview) — GCP traffic is proxied through it, so the Gateway needs outbound access to `googleapis.com` on port `443`.
  </Step>

  <Step title="Enter connection details">
    | Field                     | Description                                                                          |
    | ------------------------- | ------------------------------------------------------------------------------------ |
    | **Name**                  | A descriptive name (e.g., `prod-deployer`)                                           |
    | **Service Account Email** | The email of the target GCP service account (must end in `.iam.gserviceaccount.com`) |
  </Step>

  <Step title="Choose an authentication method">
    Pick how Infisical should obtain tokens for the target service account, then follow the matching setup.

    <Tabs>
      <Tab title="Impersonation">
        There are no credentials to enter — but you need a one-time setup so Infisical can impersonate your target service account.

        **1. Enable the IAM Service Account Credentials API**

        In the target service account's Google Cloud project, enable the IAM Service Account Credentials API (`iamcredentials.googleapis.com`). Without it, the account still saves, but sessions fail with a token-generation error when you try to connect.

        **2. Find Infisical's service account**

        | Environment        | Infisical's service account                                                                                     |
        | ------------------ | --------------------------------------------------------------------------------------------------------------- |
        | Infisical Cloud US | `infisical-us@infisical-us.iam.gserviceaccount.com`                                                             |
        | Infisical Cloud EU | `infisical-eu@infisical-eu.iam.gserviceaccount.com`                                                             |
        | Self-hosted        | The service account configured via the `INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL` environment variable |

        **3. Grant it the Token Creator role**

        In the Google Cloud Console, go to **IAM & Admin → Service Accounts**, select your **target** service account, open the **PERMISSIONS** tab, click **Grant Access**, add Infisical's service account (from step 2) as a principal, and assign it the **Service Account Token Creator** (`roles/iam.serviceAccountTokenCreator`) role.

        <Note>
          **Self-hosted only:** impersonation first needs a platform GCP service account configured on your instance — a one-time setup covered in [Configuring GCP for a self-hosted instance](/integrations/app-connections/gcp).
        </Note>
      </Tab>

      <Tab title="Static Key">
        Provide a service account key JSON. Infisical stores it encrypted and never returns it to clients.

        **1. Create a key**

        In the Google Cloud Console, go to **IAM & Admin → Service Accounts** and select the service account to use — either the target service account itself, or a privileged one allowed to impersonate it. Open the **KEYS** tab, click **Add Key → Create new key**, and choose **JSON**. The file downloads automatically.

        **2. Paste it into the form**

        | Field                        | Description                                                                                  |
        | ---------------------------- | -------------------------------------------------------------------------------------------- |
        | **Service Account Key JSON** | The full contents of the downloaded JSON key (must contain `client_email` and `private_key`) |
      </Tab>
    </Tabs>
  </Step>

  <Step title="Save">
    Click **Create**.
  </Step>
</Steps>

## Connecting

Use the CLI to start a session. This requires the [`gcloud` CLI](https://cloud.google.com/sdk/docs/install) to be installed locally.

```bash theme={"dark"}
infisical pam access my-folder/prod-deployer
```

The command **automatically configures `gcloud`** for the session — you don't need to change anything or run any extra commands. Once it's active, use `gcloud` (and other Google Cloud tooling) as normal:

```bash theme={"dark"}
gcloud compute instances list
gcloud storage ls
```

Press **Ctrl+C** to stop the session (or wait for it to expire). Your `gcloud` configuration is automatically restored when the session ends.

**Flags:**

* `--reason <reason>` — provide an access reason (if required by the template)
* `--duration <duration>` — request a session duration (e.g., `30m`), capped at the template maximum

<Note>
  A GCP session recording is a log of the HTTP requests and responses made to Google Cloud during the session — each request's method and URL, and its response status.
</Note>

## Next Steps

<CardGroup cols={2}>
  <Card title="AWS IAM Accounts" icon="aws" href="/documentation/platform/pam/accounts/aws-iam">
    Add AWS IAM role accounts.
  </Card>

  <Card title="Sessions" icon="display" href="/documentation/platform/pam/sessions/overview">
    View and manage sessions.
  </Card>
</CardGroup>
