I am trying to get an access token for google cloud on apigee via service account.

There are multiple different ways to get an access token usable within GCP, on behalf of a service account. Two of them I know are:

1. via the /token endpoint, using a grant_type of 'urn:ietf:params:oauth:grant-type:jwt-bearer'
2. via the metadata endpoint. This works only for code that is running in GCP.

If you are running in Apigee X, then you can use the latter, implicitly, via the new-ish Google Authentication capability. You can use that within a ServiceCallout, check the docs here. If you use this, then "getting a GCP access token" (and refreshing the token as necessary) is handled by the Apigee runtime, based on the configuration you provide for the API proxy and the ServiceCallout policy.  It's pretty slick.  

The first option allows you to request the token explicitly.  To use this, you would need to produce a signed JWT with a particular form, and then post that JWT as an assertion to the /token endpoint.  In response, you get the access token. 

If you for some reason want to do THAT, rather than letting Apigee get the token for you, then,... there's a reference implementation showing how.  Find it here . It uses GenerateJWT to generate the signed token, and then ServiceCallout to post to the /token endpoint. Just as is required. 

I advise you to NOT try to use the Java library issued by Google, within an Apigee callout (reflection won't allow it), and I advise you to NOT try to use JavaScript within Apigee, to do similar. The example shown in the reference  I cited above is the recommended way to do it.