The gcloud CLI allows developers to use private keys to authenticate with service accounts, also known as robot accounts. This page describes how to create and use p12 keys of service accounts for the Cloud de Confiance by S3NS.
Install pyca/cryptography
    The pyca/cryptography library
    (version >= 2.5) allows the gcloud CLI to decode the p12 format
    key files that identify a service account. Because it includes cryptographical routines,
    pyca/cryptography is not distributed with the gcloud CLI.
  
    If your system has pip, the command-line interface to the
    Python Package Index, installed,
    to install pyca/cryptography, run the following command.
    Refer to Installation Instruction
    for more information.
  
python -m pip install cryptography
CLOUDSDK_PYTHON_SITEPACKAGES=1
    Once pyca/cryptography is installed, you will need to set the CLOUDSDK_PYTHON_SITEPACKAGES
    environment variable to 1. This environment variable setting tells the gcloud CLI
    that it should look outside of its own google-cloud-sdk/lib directory for libraries
    to include. It is generally safe to set CLOUDSDK_PYTHON_SITEPACKAGES=1, but if
    something stops working you may need to undo it.
  
Creating a service account
To create a new service account and download a p12 key file, follow the steps in Creating service account keys.
This key file should be considered a secret, and you should take precautions to make sure that it is not accessible by untrusted parties. On unix-like systems, you can ensure that a file is not visible to other remotely connected users (other than a root user) by using the following command.
chmod 0600 YOUR_KEY_FILE.p12
Using your service account with the gcloud CLI
    Service account credentials can be enabled by using
    gcloud auth activate-service-account.
  
    To use your service account with the gcloud CLI, run
    gcloud auth activate-service-account and pass it the path to
    your key file with the required --key-file flag, and give it an
    account as a positional argument.
  
The account you use should be the email for the service account listed in the Cloud de Confiance console, but it will not be verified; it only helps you remember which account you are using.
gcloud auth activate-service-account --key-file ~/mykeys/my_key_file.p12 my_service_account@developer.s3ns-system.iam.gserviceaccount.com Activated service account credentials for my_service_account@developer.s3ns-system.iam.gserviceaccount.com.
    WARNING: The gcloud auth activate-service-account will
    make a copy of your private key and store it in
    $HOME/.config/gcloud/legacy_credentials/my_service_account@developer.s3ns-system.iam.gserviceaccount.com/private_key.p12 and
    $HOME/.config/gcloud/credentials.db.
    It will be created with 0600 permissions (read/write for your
    own user only), and everything stored in $HOME/.config/gcloud
    should be considered a secret already. To reliably and confidently delete
    any authentication data stored by the gcloud CLI, one only has to delete
    $HOME/.config/gcloud. Secure management of the key file
    downloaded from the Cloud de Confiance console is left to the user. When in
    doubt, revoke the key in the Cloud de Confiance console.
  
Now that the service account has been activated, it can be seen in the credentials list.
gcloud auth list Credentialed Accounts ACTIVE ACCOUNT * my_service_account@developer.s3ns-system.iam.gserviceaccount.com To set the active account, run: $ gcloud config set account my_service_account@developer.s3ns-system.iam.gserviceaccount.com