To use a service account outside of GCP, such as on other platforms or on-premises, you must first establish the identity of the service account. Public/private key pairs provide a secure way of accomplishing this goal.
You can create a service account key using the GCP Console, the gcloud tool, the serviceAccounts.keys.create() method, or one of the client libraries.
In the examples below, [SA-NAME] is the name of your service account, and [PROJECT-ID] is the ID of your Google Cloud Platform project. You can retrieve the [SA-NAME]@[PROJECT-ID].iam.gserviceaccount.com string from the Service Accounts page in the GCP Console.
-
Open the IAM & Admin page in the GCP Console.
-
Select your project and click Continue.
-
In the left nav, click Service accounts.
-
Look for the service account for which you wish to create a key, click the More more_vert button in that row, and then click Create key.
-
Select a Key type and click Create.
Note that the privateKeyData returned is a base64-encoded string representation of the TYPE_GOOGLE_CREDENTIALS_FILE value (JSON or P12 key/credentials).
When you create a key, your new public/private key pair is generated and downloaded to your machine; it serves as the only copy of the private key. You are responsible for storing the private key securely. Take note of its location and ensure the key is accessible to your application; it needs the key to make authenticated API calls.
Check this for further details https://cloud.google.com/iam/docs/creating-managing-service-account-keys#iam-service-account-keys-create-console
