Understanding Service Accounts in GCP

What is a Service Account?

A service account is a special kind of Google account that belongs to your application or VM instance, rather than an individual user. Applications use service accounts to authenticate and authorize their access to Google APIs and services — without user interaction.

For example:

• A Compute Engine VM can be configured to run as a service account.

• That service account will have the permissions required to access resources like Cloud Storage buckets, Pub/Sub topics, or BigQuery datasets.

Thus, the service account acts as the identity for the service, and its permissions control what resources it can access.

A service account is uniquely identified by its email address.

Types of Service Accounts

There are two main types of service accounts you’ll encounter in GCP:

1. User-Managed Service Accounts

When you create a new GCP project and enable the Compute Engine API, GCP automatically creates a default Compute Engine service account for your project.

It has an email address like:

PROJECT_NUMBER-compute@developer.gserviceaccount.com

Similarly, if your project has an App Engine application, a default App Engine service account is created with an email like:

PROJECT_ID@appspot.gserviceaccount.com

2. Google-Managed Service Accounts

Besides user-managed service accounts, you might see other service accounts created and managed directly by Google.

An example is the Google APIs service account, with an email format:

PROJECT_NUMBER@cloudservices.gserviceaccount.com

This account is used internally by Google services to run processes on your behalf.
A few important points:

• It is not listed in the Service Accounts section.

• It is granted Editor permissions by default in the IAM policy.

• Do not remove or modify this service account’s roles, as it may break Google services dependent on it.

Note: Google services rely on this account for internal operations. Deleting or restricting it can cause service disruptions.

Create and Manage Service Accounts

When you create a new GCP project:

• One Compute Engine service account

• One App Engine service account
  are automatically created for you.

However, you can manually create additional service accounts as needed.

Creating a Service Account

You can create a service account using the gcloud CLI with the following command:

gcloud iam service-accounts create my-svc-ac --display-name "my service account"

This creates a new service account named my-svc-ac in your current project.

Granting Roles to Service Accounts

When managing permissions in GCP:

• A service account can be treated as an identity (who is accessing).

• Or as a resource (who can access the service account).

For example:

• You can grant the Editor role to a service account so it can access project resources.

• You can also grant a user the Service Account User role to allow them to start a VM that uses the service account.

Granting Roles to a Service Account for Specific Resources

To allow a service account to perform specific actions, you assign it IAM roles.

For example, to give a service account the roles/editor permission:

gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
    --member serviceAccount:my-sa-123@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --role roles/editor

This grants the Editor role at the project level to the my-sa-123 service account.