You have an application running on an on-premises server (outside of Google Cloud) that needs to publish messages to a Cloud Pub/Sub topic. You have created a Service Account with the necessary Pub/Sub Publisher role.

How should the on-premises application authenticate as this Service Account?

Attach the Service Account to the on-premises server using the Cloud Console.

Generate a JSON key for the Service Account, securely store it on the on-premises server, and set the GOOGLE_APPLICATION_CREDENTIALS environment variable to point to the file.

Configure the on-premises server to use Identity-Aware Proxy (IAP).

Use the gcloud auth login command on the server to log in with your personal Google account.