Service Accounts have arrived

March 20, 2012


Link copied to clipboard
Author Photo
By Justin Smith, Product Manager

Starting today, Google supports Service Accounts, which provide certificate-based authentication for server-to-server interactions. This means, for example, that a request from a web application to Google Cloud Storage can be authenticated via a certificate instead of a shared key. Certificates offer better security properties than shared keys and passwords, largely because they are not human-readable or guessable.

Service accounts are currently supported by the following Google developer services:
  • Google Cloud Storage
  • Google Prediction API
  • Google URL Shortener
  • Google OAuth 2.0 Authorization Server
  • Google APIs Console
  • Google APIs Client Libraries for Python, Java, and PHP
Over time, more Google APIs and client libraries will be supported.

This feature is implemented as an OAuth 2.0 flow and is compliant with draft 25 of the OAuth 2.0 specification. An application implements the following steps to authenticate with a Service Account:
  1. Generate a JSON structure.
  2. Sign the JSON structure with a private key, and encode it as a JSON Web Token (JWT).
  3. Send the JWT to Google’s OAuth 2.0 Authorization Server in exchange for an access token.
  4. Send the access token to Google Cloud Storage or the Google Prediction API.
The Google APIs Client Libraries for Python, Java, and PHP wrap these steps into a few lines of code and abstract the error-prone signing and encoding operations from your applications. We strongly encourage you to use these libraries for this type of interaction. We will be expanding support to other client libraries (including Ruby and .NET). Library developers can find the specifics of the protocol in the OAuth 2.0 Service Accounts documentation.

If you’re a Google App Engine developer, all this might sound similar to what is described in these articles: App Engine & Storage, App Engine & Prediction. Service Accounts generalize this App Engine capability by making it available to other server-side platforms. When using another server-side platform, you can create a Service Account through the Google APIs Console. See the Google APIs Console documentation for more information on creating a Service Account.

As always, we welcome and appreciate feedback. Please post any questions or comments to the OAuth 2.0 Google group.


Justin Smith is a Google Product Manager and works on authentication and authorization technologies. He enjoys woodworking, cycling, country music, and the company of his wife and newborn daughter (not in that order).

Posted by Scott Knaster, Editor