Google - Credentials
The Serverless Framework needs access to account credentials for your Google Cloud account so that it can create and manage resources on your behalf.
Create a Google Cloud Billing Account
You need a Billing Account with a credit card attached to use Google Cloud Functions. Here's how to create one:
- Click here, to go to the screen to create a new Billing Account.
- Enter the name of the Billing Account and enter your billing information. Then click Submit to enable billing.
- A Billing Account will exist already offering you a free trial. Please note that this will not work for Google Cloud Functions. Only a Billing Account with a valid credit card will work.
If necessary, a more detailed guide on creating a Billing Account can be found here.
Create a new Google Cloud Project
A Google Cloud Project is required to use Google Cloud Functions. Here's how to create one:
- Go to the Google Cloud Console.
- There is a dropdown near the top left of the screen (near the search bar that lists your projects). Click it and select "Create Project".
- Enter a Project name and select the Billing Account you created in the steps above (or any Billing Account with a valid credit card attached).
- Click on "Create" to start the creation process.
- Wait until the Project was successfully created and Google will redirect you to your new Project.
- Verify you're currently within your new Project by looking at the dropdown next to the search bar. This should mark your new Project as selected.
Enable the necessary APIs
You need to enable the following APIs so that Serverless can create the corresponding resources.
Go to the API dashboard, select your project and enable the following APIs (if not already enabled):
- Cloud Functions API
- Cloud Deployment Manager V2 API
- Cloud Build API
- Cloud Storage
- Cloud Logging API
Set up a user & assign roles
You can either use a Service Account or directly your Google Account with appropriate roles that Serverless can use to create resources in your project.
Google Account
(Google Accounts are real users who can be authenticated by the Google SSO)
This method is the most convenient to allow developers to develop and deploy a Serverless application locally.
If you are owner of the project you have nothing to do. Otherwise, make sure your user has at least the following roles:
Deployment Manager Editor
Storage Admin
Logging Admin
Cloud Functions Developer
Service Account
(Service accounts are accounts for applications instead of individuals end users)
This method is useful for to authenticate a CI/CD or to assume a specific role without changing the roles of a Google Account.
Create a Service Account with at least the following roles:
Deployment Manager Editor
Storage Admin
Logging Admin
Cloud Functions Developer
How to create a Service Account:
- Go to the Google Cloud Console.
- Choose the project that you are working on from the top drop down
- Click
IAM & admin
menu on left-sidebar - Then click
Service accounts
on left-sidebar - Click
CREATE SERVICE ACCOUNT
button on the top - Input Service account name and Service account ID will be generated automatically for you. Change it if you wish to.
- Click
Create
button - Add
Deployment Manager Editor
,Storage Admin
,Logging Admin
,Cloud Functions Developer
roles - Click
Done
button
Authenticate
The Serverless Google Cloud plugin supports several authentication methods.
Application Default Credentials
The plugin will let Google find the Application Default Credentials and implicitly authenticate.
To authenticate with a Google Account use gcloud cli login
gcloud auth application-default login
To authenticate with a Service Account:
- Go on the Service Account panel of
IAM & admin
- Select a Service Account and click on
manage keys
- Create a JSON credentials keyfile
- Download and store the keyfile
- expose the absolute path of the keyfile in the environment variable
GOOGLE_APPLICATION_CREDENTIALS
Explicitly provide the path of a credentials keyfile
- Get a credentials keyfile as explained above.
- In the
provider
config inserverless.yml
, add acredentials
attribute with the absolute path of the credentials keyfile:
provider:
name: google
runtime: nodejs
project: my-serverless-project-1234
credentials: ~/.gcloud/keyfile.json # <- the path must be absolute
If provider.credentials
is provided in the serverless.yml
, the Application Default Credentials will be ignored.