Understanding service accounts  |  IAM Documentation  |  Google Cloud (2024)


A service account is a special type of Google account intended to representa non-human user that needs to authenticate and be authorized to accessdata in Google APIs.

Typically, service accounts are used in scenarios such as:

  • Running workloads on virtual machines (VMs).
  • Running workloads on on-premises workstations or data centers that callGoogle APIs.
  • Running workloads which are not tied to the lifecycle of a human user.

Your applicationassumes the identity of the service account to call Google APIs,so that the users aren't directly involved.

Managing service accounts

Service accounts can be thought of as both aresource and as anidentity.

When thinking of the service account as an identity, you can grant a role to aservice account, allowing it to access a resource (such as a project).

When thinking of a service account as a resource, you can grant roles to otherusers to access or manage that service account.

Granting access to service accounts

Granting access to a service account to access a resource is similar to grantingaccess to any other identity. For example, if you have an application running onCompute Engine and you want the application to only have access tocreate objects in Cloud Storage. You can create a service account for theapplication and grant it the Storage Object Creator role.

Learn aboutGranting roles to all types of principals,including service accounts.

Keeping track of service accounts

Over time, as you create more and more service accounts, you might lose track ofwhich service account is used for what purpose.

The display name of a service account is a good way to capture additionalinformation about the service account, such as the purpose of the serviceaccount or a contact person for the account. For new service accounts, you canpopulate the display name when creating the service account. For existingservice accounts use the serviceAccounts.update() method tomodify the display name.

Identifying unused service accounts

Unused service accounts create an unnecessary security risk, so we recommenddisabling unused service accounts, thendeleting the service accounts when you are sure that you no longerneed them. You can use the following methods to identify unused serviceaccounts:

  • Service account insights tell you which service accounts inyour project have not authenticated in the past 90 days.
  • Activity analyzer lets you check when a serviceaccount or key was last used.

You can also use service account usage metrics to track serviceaccount and key usage generally.

Deleting and recreating service accounts

It is possible to delete a service account and then create a new serviceaccount with the same name.

When you delete a service account, its role bindings are not immediatelydeleted. Instead, the role bindings list the service account with the prefixdeleted:. For an example, seePolicies with deleted principals.

If you create a new service account with the same name as a recently deletedservice account, the old bindings may still exist; however, they will notapply to the new service account even though both accounts have the same emailaddress. This behavior occurs because service accounts are given a unique IDwithin Identity and Access Management (IAM) at creation. Internally, all role bindings aregranted using these IDs, not the service account's email address. Therefore, anyrole bindings that existed for a deleted service account do not apply to a newservice account that uses the same email address.

Similarly, if youattach a service account to a resource, thendelete the service account and create a new service account with the same name,the new service account will not be attached to the resource.

To prevent this unexpected behavior, consider using a new, unique name for everyservice account. Also, if you accidentally delete a service account, you can tryto undelete the service account instead of creating a new serviceaccount.

If you cannot undelete the original service account, and you need to create anew service account with the same name and the same roles, you must grant theroles to the new service account. For details, seePolicies with deleted principals.

If you also need the new service account to be attached to the same resourcesas the original service account, do one of the following:

  • For Compute Engine instances, you canchange the service account that is attached to the instanceto replace the original service account with the new service account.
  • For all other resources, you must delete the existing resource, then create anew resource of the same type andattach the new service account.

Permissions for service accounts

This section describes common scenarios for permissions granted to serviceaccounts, or user accounts that have the permissions to impersonate serviceaccounts:

  • Granting minimum permissions to service accounts
  • Service account permissions for common scenarios

Granting minimum permissions to service accounts

As with all types of principals, you should only grant the service account theminimum set of permissions required to achieve its goal. Learn aboutgranting roles to all types of principals,including service accounts.

When granting permissions to users to access a service account, keep in mindthat the user can access all the resources for which the service account haspermissions. Therefore it's important to configure permissions of your serviceaccounts carefully; that is, be strict about who on your team can act as(or impersonate) a service account. Use particular caution when allowing usersto impersonate highly privileged service accounts, such as theCompute Engine and App Enginedefault service accounts.

Users with IAM roles to updatethe App Engine and Compute Engine instances (such asApp Engine Deployeror Compute Instance Admin) can effectively run codeas the service accounts used to run these instances, and indirectly gain accessto all the resources for which the service accounts has access. Similarly,SSH access to a Compute Engine instance mayalso provide the ability to execute code as that instance.

Service account permissions for common scenarios

Service accounts can be used in many different scenarios, and each of themrequires certain permissions. This section describes common scenarios and whatpermissions are required.

Attaching service accounts to resources

If you want to start a long-running job that authenticates as a service account,you need to attach a service account to the resource that will run the job.


  • Permissions to create the resource
  • iam.serviceAccounts.actAs

To find roles that include these permissions, search theroles list for the permissions.

There are several different Google Cloud resources that can runlong-running jobs as service accounts. Some examples of these resources include:

  • Compute Engine VMs
  • App Engine apps
  • Cloud Functions

When you create these resources, you have the option to attach a serviceaccount. This service account acts as the resource's identity.

To create a resource and attach a service account, you need permissions tocreate that resource and permission to impersonate the service account that youwill attach to the resource. Permission to impersonate the service account isprovided by any role that includes the iam.serviceAccounts.actAs permission.

After you create the resource and attach a service account to it, you can starta long-running job on the resource. The job runs as the service account that isattached to the resource, and uses that service account to authorize requests toGoogle Cloud APIs.

To learn more about attaching service accounts to resources, seeAttaching a service account to a resource.

Directly impersonating a service account


  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.signBlob
  • iam.serviceAccounts.signJwt
  • iam.serviceAccounts.implicitDelegation


  • roles/iam.serviceAccountTokenCreator (Service Account Token Creator)

Once granted the required permissions, a user (or service) can directlyimpersonate (or assert) the identity of a service account in a few commonscenarios.

First, the user may get short-term credentials for the service account using theiam.serviceAccounts.getAccessToken permission and by calling thegenerateAccessToken()method. By using short-term credentials, a user can issue commands toGoogle Cloud and can access all resources to which the service account hasaccess. For example, this flow allows a user to use thegcloud --impersonate-service-accountflag to impersonate the service account without requiring the use of adownloaded external service account key.

Second, the user may get artifacts signed by the Google-managed private key ofthe service account using the iam.serviceAccounts.signBlob permission and bycalling either thesignBlob()orsignJwt()method. The Google-managed private key is always held in escrow and is neverdirectly exposed. signBlob() allows signing of arbitrary payloads (such asCloud Storage-signed URLs), while signJwt() only allows signingwell-formed JWTs.

Finally, the user may impersonate (or assert) the service account without everretrieving a credential for the service account. This is an advanced use case,and is only supported for programmatic access using thegenerateAccessToken()method. In scenarios with at least 3 serviceaccounts, namely A, B, and C: service account A can get an access tokenfor service account C if service account A is granted theiam.serviceAccounts.implicitDelegation permission on B, and B is grantedthe iam.serviceAccounts.getAccessToken permission on C.

Generating OpenID Connect (OIDC) ID tokens


  • iam.serviceAccounts.getOpenIdToken


  • roles/iam.serviceAccountTokenCreator (Service Account Token Creator)

A user (or service) can generate an OpenID Connect (OIDC)-compatible JWT tokensigned by the Google OIDC Provider (accounts.google.com) that represents theidentity of the service account using the iam.serviceAccounts.getOpenIdTokenpermission.

These tokens are not directly accepted by most Google APIs without yourorganization deploying additional identity federation to grant access toGoogle. There are a few exceptions—for example, Identity-Aware Proxy, which allowsOIDC-based access to user-run applications.

Generating external private keys


  • iam.serviceAccountKeys.create


  • roles/editor (Editor)
  • roles/iam.serviceAccountKeyAdmin (Service Account Key Admin)

A user or service can generate external private key material (RSA) that can beused to authenticate directly to Google as the service account. This keymaterial can then be used with Application Default Credentials (ADC) libraries,or with thegcloud auth activate-service-accountcommand. Any person who gains access to the key material will then have fullaccess to all resources to which the service account has access. Such privatekey material should be treated with the highest concern, and should beconsidered less secure the longer the material exists. Therefore, rotatingprivate key material is critical to maintaining strong security.

Using service accounts with Compute Engine

Compute Engine instances need to run as service accounts to have accessto other Google Cloud resources. To make sure that yourCompute Engine instances are more secure, consider the following:

  • You can create VMs in the same project with different service accounts. Tochange the service account of a VM after it's created, use theinstances.setServiceAccountmethod.

  • You cangrant IAM roles to service accountsto define what they can access. In many cases you won't need to rely on scopesanymore. This gives you the advantage of being able to modify permissions of aVM's service account without recreating the instance.

  • Since instances depend on their service accounts to have access toGoogle Cloud resources, avoid deleting service accounts when they arestill used by running instances. If you delete the service accounts, theinstances may start failing their operations.

What's next

  • Read our best practices for working with service accounts.

Try it for yourself

If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

Get started for free

Understanding service accounts  |  IAM Documentation  |  Google Cloud (2024)


What is a service account within Google Cloud and what is its purpose? ›

A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs. Typically, service accounts are used in scenarios such as: Running workloads on virtual machines (VMs).

Which of the following are the best practices recommended by Google Cloud when dealing with service accounts? ›

The best practice is to set the full cloud-platform access scope on the instance, then control the service account's access using IAM roles. Essentially: IAM restricts access to APIs based on the IAM roles that are granted to the service account. Access scopes potentially further limit access to API methods.

How do I download the service account credentials JSON file in Google Cloud? ›

The service account key JSON file is automatically downloaded to your local machine.
  1. Login to GCP Home Page.
  2. Create the service account.
  3. Grant the service account access to project.
  4. Select the newly created service account.
  5. Create key for the service account.
  6. Generate the service account JSON key and download.

What are the three built-in service accounts? ›

Built-in service account — On a local computer, you can configure an application to run under one of the three built-in service accounts: LocalService, NetworkService or LocalSystem.

What are the 5 key account management processes? ›

9 Quick Steps of Key Account Management Process
  • Step 1: Portfolio vis-à-vis profits.
  • Step 2: Understanding the Customer entirely.
  • Step 3: Relationship X-Ray.
  • Step 4: Draw up a Key Account Plan Blueprint.
  • Step 5: Get into Action.
  • Step 6: Resource Planning and Audit.
  • Step 7: Communicate with internal and external stakeholders.

What is the difference between a service account and a user account? ›

Service accounts differ from user accounts in a few key ways: Service accounts do not have passwords, and cannot log in via browsers or cookies.

How do service accounts work? ›

A service account is a user account that's created explicitly to provide a security context for services that are running on Windows Server operating systems. The security context determines the service's ability to access local and network resources. Windows operating systems rely on services to run various features.

How do I use Google cloud service account? ›

Create a service account
  1. Step 1: Create a project. Go to Google Cloud and sign in as a super administrator. ...
  2. Step 2: Turn on the APIs for the service account. Check the box next to your new project. ...
  3. Step 3: Set up the OAuth consent screen. ...
  4. Step 4: Create the service account.

What are the 3 major services in cloud reference model? ›

The cloud computing reference model is divided into 3 major service models:
  • Software as a Service (SaaS)
  • Platform as a Service (PaaS)
  • Infrastructure as a Service (IaaS)
6 days ago

What are three 3 factors that must be considered before migrating an application to the cloud? ›

Factors to Consider Before Cloud Migration
  • Migration Architecture. The first step before migrating to the cloud is building a robust migration architecture. ...
  • Cloud Platform Assessment. ...
  • Total Cost. ...
  • Cloud Provider. ...
  • Security.
21 May 2021

Which type of service account has the most privileges? ›

Domain Administrative Accounts have privileged administrative access across all workstations and servers within the domain. While these accounts are few in number, they provide the most extensive and robust access across the network.

Can you generate access keys for service accounts GCP? ›

You can create a service account key using the Google Cloud console, the gcloud CLI, the serviceAccounts. keys. create() method, or one of the client libraries. A service account can have up to 10 keys.

How do you authenticate with a service account in GCP? ›

User accounts
  1. Use the gcloud CLI to set up Application Default Credentials (ADC).
  2. Use the gcloud CLI to generate access tokens.
  3. Use your user credentials to impersonate a service account.
  4. Use your user credentials to log in to the Google Cloud CLI, then use the tool to access Google Cloud services.

How do I authenticate Gcloud with a service account? ›

gcloud auth activate-service-account authorizes access using a service account.
To authorize using a service account:
  1. Go to the Service Accounts page in the Google Cloud console. ...
  2. Choose an existing account or create a new account by clicking Create service account.
  3. To create and download a JSON-formatted key file:

Do service accounts have MFA? ›

Service accounts are non-human privileged accounts used by applications, automated services, and that execute other IT processes. Because these are machine accounts they cannot be protected by MFA.

Which type of account should you use for service accounts? ›

Depending on your use case, you can use a managed service account (MSA), a computer account, or a user account to run a service. You must first test a service to confirm that it can use a managed service account. If the service can use an MSA, you should use one.

Should service accounts be domain users? ›

Service accounts can be privileged local or domain accounts, and in some cases, they may have domain administrative privileges. This high level of privilege facilitates the smooth operation of many IT workflows, but a single service account can easily be referenced in many applications or processes.

How can I improve my account management skills? ›

Here are 10 tips for successful key account management in today's busy business world.
  1. 1) Build Relationships That Acknowledge the Whole. ...
  2. 2) Be an Effective Liaison. ...
  3. 3) Understand Who Your Clients Are. ...
  4. 4) Be Proactive. ...
  5. 5) Be Reliable. ...
  6. 6) Lay out Clear Plans of Action. ...
  7. 7) Look to the Future. ...
  8. 8) Individualize Your Service.

What are the three phases of account planning? ›

Consider following these steps to effectively perform account planning:
  • Research your current accounts. ...
  • Identify your clients' needs. ...
  • Manage your accounts. ...
  • Create a map of relationships. ...
  • Maintain and update your records.

What is a key account manager salary? ›

Key Account Manager salary in India ranges between ₹ 3.1 Lakhs to ₹ 18.3 Lakhs with an average annual salary of ₹ 6.5 Lakhs. Salary estimates are based on 21.5k salaries received from Key Account Managers.

Is a service account a shared account? ›

For purposes of this document a shared account is an account that is used by multiple individuals to access systems or data. A service account is an account that is used by an automated process and is not used in an interactive way by a user.

Is a service account a domain account? ›

A managed service account is a domain account, which must be created by a domain administrator. The advantage of a managed service account over a user domain account is that MSA accounts cannot be used to log into a machine, have rotating passwords that are managed by the domain, and cannot be locked out.

What is difference between domain and service account? ›

It's possible to create a user account for a single service, or to share it across multiple services. However, with domain user accounts, you can only grant the privileges required by the service, and you need to reset passwords regularly.

Can service accounts send emails? ›

No. The Gmail API is for Gmail users and service accounts are just for doing auth to a real Gmail account, they don't have their own Gmail account, etc.

Can service accounts use SSO? ›

Unlike normal users, service accounts cannot authenticate using a password or single sign-on (SSO). There are a variety of authentication methods that service accounts can employ instead, and it's important to use the right one based on your needs.

Are service accounts a security risk? ›

The cybersecurity risks are real

24% of security professionals said service accounts were their most vulnerable targets for attacks by cybercriminals. According to the survey, service accounts are such an attractive target because they can provide: Easily elevated privileges. Access to valuable/sensitive data.

How do you authenticate with a service account? ›

Authenticate with a service account
  1. On the Google Cloud Console, select your project and create a new service account.
  2. Add the Firebase App Distribution Admin role.
  3. Create a private json key and move the key to a location accessible to your build environment.

What are service account keys in GCP? ›

Service accounts allow automated users to prove their identity using a public/private key pair in the form of a JSON file. A service account also has the same ability as users or groups to bind to IAM roles to do things in GCP.

How do I use Gmail API with service account? ›

Enable the GMail API

From the project, click on ENABLE APIS AND SERVICES and search for the Gmail API. Click on ENABLE. You now have the Gmail API enabled for your project. All you need now is to create some credentials for using the API.

What are the 7 R's in cloud transformation? ›

This data must be evaluated against the seven common migration strategies (7 Rs) for moving applications to the AWS Cloud. These strategies are refactor, replatform, repurchase, rehost, relocate, retain, and retire.

What are the 6 most common cloud services? ›

Top 7 Most Common Uses of Cloud Computing
  1. Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) ...
  2. Software-as-a-Service (SaaS) ...
  3. Hybrid cloud and multicloud. ...
  4. Test and development.
  5. Big data analytics.
1 Aug 2022

What are the 5 cloud migration strategies? ›

Cloud Migration Strategies
  • Rehost. Rehosting, or 'lift and shift,' involves using infrastructure-as-a-service (IaaS). ...
  • Refactor. Refactoring, or 'lift, tinker, and shift,' is when you tweak and optimize your applications for the cloud. ...
  • Revise. ...
  • Rebuild. ...
  • Replace.

What are the 3 main phases to a cloud migration? ›

Once the decision has been made that cloud is the best option to solve the business challenges you face (and it may not be), there are three phases of moving to the cloud: planning, mid-shift, and go-live.

What is the best way to manage service accounts? ›

Best practices for working with service accounts
  1. Don't use automatic role grants for default service accounts.
  2. Don't rely on access scopes when attaching a service account to a VM instance.
  3. Avoid using groups for granting service accounts access to resources.
  4. Avoid using domain-wide delegation.

What are the 3 user account types? ›

Standard User accounts are for everyday computing. Administrator accounts provide the most control over a computer, and should only be used when necessary. Guest accounts are intended primarily for people who need temporary use of a computer.

What are the two 2 types of user privileges? ›

System privileges—A system privilege gives a user the ability to perform a particular action, or to perform an action on any schema objects of a particular type. Object privileges—An objectprivilege gives a user the ability to perform a particular action on a specific schema object.

Do service account keys expire? ›

Service account keys that you create and download from IAM don't have an expiry date and stay valid until you delete them. You can limit the validity of service account keys by uploading a service account key instead and by specifying a Valid To date in the X. 509 certificate file.

How do I get an API key for my service account? ›

To create your application's API key:
  1. Go to the API Console.
  2. From the projects list, select a project or create a new one.
  3. If the APIs & services page isn't already open, open the left side menu and select APIs & services.
  4. On the left, choose Credentials.
  5. Click Create credentials and then select API key.

How do I grant a role to service account GCP? ›

Grant a single role
  1. In the Google Cloud console, go to the IAM page. Go to IAM.
  2. Select a project, folder, or organization.
  3. Select a principal to grant a role to: ...
  4. Select a role to grant from the drop-down list. ...
  5. Optional: Add a condition to the role.
  6. Click Save.

How can I get bearer token from service account? ›

To obtain a Bearer token with your service account, follow these steps:
  1. Install the gcloud command line tool.
  2. Authenticate to your service account. ...
  3. Use your service account to obtain an authorization token: gcloud auth print-access-token.
30 Aug 2019

How do I check my GCP service account permissions? ›

Using GCP Console

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam. 04 In the navigation panel, select IAM. 05 Choose the PERMISSIONS tab, then select View by MEMBERS to list all the member accounts created for the selected GCP project.

How do I find my GCP service account key file? ›

The service account key JSON file is automatically downloaded to your local machine.
  1. Login to GCP Home Page.
  2. Create the service account.
  3. Grant the service account access to project.
  4. Select the newly created service account.
  5. Create key for the service account.
  6. Generate the service account JSON key and download.

What is service account impersonation? ›

From what I understand and experience, the concept of service account impersonation is to allow a user to that specific service account with specific roles and access to the resource. Benefits of service account impersonation are: limit user account permission. reduce the risk of service account keys.

How do I create a service account in organization of GCP? ›

Follow these steps to manually create a Service Account:
  1. Log in to the GCP Console.
  2. Navigate to IAM & Admin page, then click Service Accounts > + Create Service Account.
  3. In the Service account details step, enter values in the fields, then click Create and Continue.
  4. Skip the optional sections and click Done.

How do I create a GCP service account? ›

  1. In the Google Cloud console, go to the Create service account page. ...
  2. Select a Cloud project.
  3. Enter a service account name to display in the Google Cloud console. ...
  4. Optional: Enter a description of the service account.
  5. If you do not want to set access controls now, click Done to finish creating the service account.

How do I manage my Ad services account? ›

Active Directory Service Accounts Best Practices
  1. Keep access limited. ...
  2. Create service accounts from scratch. ...
  3. Don't put service accounts in built-in privileged groups. ...
  4. Disallow service account access to important objects. ...
  5. Remove unnecessary rights. ...
  6. Set access by using the “Log On To” feature. ...
  7. Limit time frames.
4 Nov 2019

How do you manage service business? ›

Key management strategies for service business
  1. Know who your customers are: ...
  2. Treat customers well: ...
  3. Fulfill your commitments with customers: ...
  4. Maintain confidentiality: ...
  5. Be open to your customers: ...
  6. Protect the interest of your business and customers: ...
  7. Know your capacity: ...
  8. It is OK to say “No”:
27 Jul 2022

How do you implement service accounts? ›

Create your service account
  1. Sign in to the Google API Console.
  2. Open the Credentials page. ...
  3. Click Create credentials > Service account key.
  4. From the dropdown menu, select New service account. ...
  5. Select your preferred key type and click Create. ...
  6. Open the IAM page. ...
  7. Click Add.

Can service accounts be logged into? ›

The major concern is that the service account is anonymous and can be used anywhere on the network. Essentially, the credentials used to log into the service account are available to multiple people, and they can make any kind of configuration or manipulation to your AD domain without accountability.

What is the difference between service account and managed service account? ›

Managed Service Accounts are more secure then ordinary service accounts. Ordinary service accounts are normal user accounts with complex passwords used for running various server services. Managed Service Accounts are different. They can only created with PowerShell.

What are the 3 most important things in customer service? ›

Essentially, the 3 important qualities of customer service center around three “p”s: professionalism, patience, and a “people-first” attitude. Although customer service varies from customer to customer, as long as you're following these guidelines, you're on the right track.

What are the 4 key characteristics of service businesses? ›

There are four characteristics of service: Intangibility, Inseparability, Variability, and Perishability (Kotler and Keller, 2007).

Is a service account an admin account? ›

Service Accounts can be privileged local or domain accounts that are used by an application or service to interact with the operating system. In some cases, these service accounts have domain administrative privileges depending on the requirements of the application they are being used for.

Top Articles
Latest Posts
Article information

Author: Horacio Brakus JD

Last Updated:

Views: 5468

Rating: 4 / 5 (71 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Horacio Brakus JD

Birthday: 1999-08-21

Address: Apt. 524 43384 Minnie Prairie, South Edda, MA 62804

Phone: +5931039998219

Job: Sales Strategist

Hobby: Sculling, Kitesurfing, Orienteering, Painting, Computer programming, Creative writing, Scuba diving

Introduction: My name is Horacio Brakus JD, I am a lively, splendid, jolly, vivacious, vast, cheerful, agreeable person who loves writing and wants to share my knowledge and understanding with you.