Can anyone please suggest a better way of doing this, like using details I have in service account key file instead of running gcloud commands.

Yes.

The way to do it:

1. Create a signed JWT.
   • The JWT must have these claims:
     1. issuer: client_email (from SA JSON file)
     2. audience: token_uri (from SA JSON)
     3. scope: whatever GCP token scope you want. ( https://www.googleapis.com/auth/cloud-platform works, but is probably overly permissive)
   • The JWT must have an expiry, and its lifetime must be no greater than 300 seconds
   • The JWT must be signed with RS256, using the private key from the sa key .json file
2. Send the JWT to https://oauth2.googleapis.com/token
   • verb= POST
   • content-type : application/x-www-form-urlencoded
   • form params:
     1. assertion = (the JWT from above)
     2. grant_type = urn:ietf:params:oauth:grant-type:jwt-bearer

In response you get an access token. It is good for 30-60 minutes. (I can't remember which).

Use any tool you like to create and sign the JWT and POST it to the token endpoint. Here's a nodejs script that does it. Even an Apigee proxy can do it (via GenerateJWT and ServiceCallout), if it has access to the SA .json file.

If you already have gcloud, though, you may be able to do it more simply. There is a way to grant to a user the ability to impersonate a Service Account. If you do that, you can then use gcloud to get the token that represents the service account. gcloud does all the JWT signing and so on.