Service accounts  |  Compute Engine Documentation  |  Google Cloud (2024)

Table of Contents
Try it for yourself What is a service account? How Compute Engine uses service accounts How authorization is determined User-managed service accounts New service accounts Compute Engine default service account Service agents Google APIs Service Agent Compute Engine Service Agent Attaching a service account to an instance Authorization IAM roles Access scopes What's next References

This page describes how service accounts work with Compute Engine.

For step-by-step information about attaching a service account to avirtual machine (VM) instance, review one of the following documents:

  • To set up service account during VM creation, seeCreate a VM that uses a user-managed service account.
  • To set up service account on an existing VM, seeChange the attached service account.

To learn about best practices for creating and managing service accounts, readtheBest practices for working with service accountsdocumentation.

Try it for yourself

If you're new to Google Cloud, create an account to evaluate how Compute Engine performs in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

Try Compute Engine free

What is a service account?

A service account is a special kind of accountused by an application or compute workload, rather than a person. Serviceaccounts are managed by Identity and Access Management (IAM).

Keep the following in mind when using service accounts with your VMs:

  • You can attach the same service account to multiple VMs, but a single VMcan only have one service account attached to it.
  • If you attach the same service account to multiple VMs, any subsequentchanges you make to the service account affects all VMs that use the serviceaccount. This includes any changes you make to theIAM roles granted to the service account.For example, if you remove a role, allVMs using the service account lose the permissions granted by that role.

How Compute Engine uses service accounts

Compute Engine uses two types of service accounts:

  • User-managed service accounts
  • Service agents

A user-managed service account can be attached to a Compute Engineinstance to provide credentials to applications running on the instance. Thesecredentials are used by the application for authentication to Google CloudAPIs, and authorization to access Google Cloud resources. Onlyuser-managed service accounts can be attached to an instance, and an instancecan have only one attached service account. You can change the service accountthat is attached to an instance at creation time or later on.

Service agents are used by the instance to access internal processes on yourbehalf.

In addition, you can create firewall rules that allow ordeny traffic to and from instances based on the service account that youassociate with each instance.

How authorization is determined

The authorization provided to applications hosted on a Compute Engineinstance is limited by two separate configurations: theroles granted to the attached service account, and theaccess scopes that you set on the instance. Both of theseconfigurations must allow access before the application running on the instancecan access a resource.

Suppose you have an app that reads and writes files on Cloud Storage, it mustfirst authenticate to the Cloud Storage API. You can create an instance with thecloud-platform scope and attach a service account to the instance. You canthen grant Identity and Access Management (IAM) roles to the service account to give yourapp access to the appropriate resources. Your app uses the service accountcredentials to authenticate to the Cloud Storage API without embedding anysecret keys or user credentials in your instance, image, or app code. Your appalso uses the authorization provided by the IAM roles on theservice account to access resources.For more information about authorization, see Authorizationon this page.

User-managed service accounts

User-managed service accounts include new service accounts that you explicitlycreate and the Compute Engine default service account.

See Also
Firebase Service Accounts OverviewService Accounts and Roles: Fundamentals | Google Cloud Skills BoostService Account credentials management: how to improve your security postureService accounts overview  |  IAM Documentation  |  Google Cloud

New service accounts

You can create and manage your own service accounts usingIAM. After you create an account, you grant the accountIAM roles and set up instances to run as the service account.Apps running on instances with the service account attached can use theaccount's credentials to make requests to other Google APIs.

To create and set up a new service account, seeCreate a VM that uses a user-managed service account.

Compute Engine default service account

New projects that haveenabled theCompute Engine API have a Compute Engine default serviceaccount, which has the following email:

PROJECT_NUMBER-compute@developer.gserviceaccount.com

The Compute Engine default service account has the followingattributes:

  • Automatically created, with an autogenerated name and email address, and addedto your project when you enable the Compute Engine API. You havefull control over the account.
  • Attached by default to all VMs that you created by using the Google Cloud CLIor the Google Cloud console. You can override this behavior by specifyinga different service account when you create the VM, or by explicitlyspecifying that no service account be attached to the VM.

  • Depending on your organization policy configuration, the default service account might automatically be granted the Editor role on your project. We strongly recommend that you disable the automatic role grant by enforcing the iam.automaticIamGrantsForDefaultServiceAccounts organization policy constraint. If you created your organization after May 3, 2024, this constraint is enforced by default.

    If you disable the automatic role grant, you must decide which roles to grant to the default service accounts, and then grant these roles yourself.

    If the default service account already has the Editor role, we recommend that you replace the Editor role with less permissive roles. To safely modify the service account's roles, use Policy Simulator to see the impact of the change, and then grant and revoke the appropriate roles.

You can disable or delete this service account from your project, but doing somight cause any applications that depend on the service account's credentials tofail. If you accidentally delete the Compute Engine default serviceaccount, you can try to recover the account within 30 days. For moreinformation, see Delete and undelete service accounts.

If the Compute Engine default service account was deleted more than30 days ago, you can try to recover the service account by following the processin Troubleshooting default service accounts.

Service agents

Service agents are createdand managed by Google Cloud and assigned to your project automatically. Theseaccounts represent different Google Cloud services, and each accounttypically has some level of access to your Google Cloud resources.

You cannot attach service agents to a Compute Engine instance.

Google APIs Service Agent

Apart from the default service account, all projects enabled withCompute Engine come with a Google APIs Service Agent,identifiable using the email:

PROJECT_NUMBER@cloudservices.gserviceaccount.com

This service agent is designed specifically to run internal Googleprocesses on your behalf. This service agent is owned by Google and is not listed inthe Service Accounts section of Google Cloud console. By default, thisservice agent is automatically granted the project editor role on the project and islisted in the IAM section of Google Cloud console.This service agentt is only deleted when the project is deleted. However, youcan change the roles granted to this account, including revoking all access toyour project.

Certain resources rely on the default editor permissions granted to this service agent.For example, managed instance groups and autoscaling uses the credentials of thisservice agent to create, delete, and manage instances. If you revoke permissionsto this service agent, or modify the permissions in such a way that it doesn'tgrant permissions to create instances, this will cause managed instance groupsand autoscaling to stop working.

For these reasons, you should not modify this service agent's roles unless arole recommendation explicitly suggests thatyou modify them.

See Also
Create service accounts  |  IAM Documentation  |  Google Cloud

Compute Engine Service Agent

All projects that have enabled theCompute Engine API have a Compute Engine ServiceAgent, which has the following email:

service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com

This service agent is designed specifically forCompute Engine to perform its service duties on your project.It relies on the Service Agent IAM Policy granted on yourGoogle Cloud Project. It is also the service agentCompute Engine uses toaccess the user-managed service account on VMinstances. Google owns this account, but it is specific to your project. Thisservice agent is hidden from theIAM page in theconsole unless you select Include Google-provided role grants.By default, this service agent is automatically granted the compute.serviceAgent role on your project.

This service agent is deleted only when you delete your project. Youcan change the roles granted to this service agent and revoke all accessto your project from this agent. Revoking or changing the permissions forthis service agent prevents Compute Engine from accessing theidentities of your service accounts on your VMs, and can cause outages ofsoftware running inside your VMs.

For these reasons, you should avoid modifying the roles for this service agentas much as possible.

Attaching a service account to an instance

To avoid providing an application with excess permissions, we recommend that youcreate a user-managed service account, grant it only the roles your applicationneeds to function properly, and attach it to your Compute Engineinstance. Your code can then useApplication Default Credentialsto authenticate with the credentials provided by the service account.

You can attach a service account to a Compute Engine instance whenyou create the instance, or later. Only one service account can be attachedto an instance at a time; if you attach a service account to an instance thatalready has a service account attached, the previous service account is nolonger used by that instance.

When you attach a service account to a Compute Engine instance, you mustalso ensure that the scopes set on the instance are correct. Otherwise, your appmight not be able to access all of the APIs it needs. For more information, seeAccess scopes on this page.

For step-by-step information about attaching a service account to aCompute Engine instance, review one of the following documents:

  • Create a VM that uses a user-managed service account
  • Change the attached service account

Authorization

When you set up an instance to run as a service account, you determine the levelof access the service account has by the IAM roles that yougrant to the service account.If the service account has no IAM roles, then no resources canbe accessed using the service account on that instance.

Furthermore, an instance's access scopes determine the default OAuth scopes forrequests made through the gcloud CLI and client libraries on theinstance. As a result, access scopes potentially further limit access to APImethods when authenticating through OAuth. However, they don't extend to otherauthentication protocols like gRPC.

The best practice is to set the full cloud-platform access scope on theinstance, then control the service account's access using IAMroles.

Essentially:

  • IAM restricts access to APIs based on the IAMroles that are granted to the service account.
  • Access scopes potentially further limit access to API methods.

Both access scopes and IAM roles are described in detail in thefollowing sections.

IAM roles

You mustgrant the appropriate IAM roles to a service accountto allow that service account access to relevant API methods.

For example, you can grant a service account the IAM roles formanaging Cloud Storage objects, or for managing Cloud Storagebuckets, or both, which limits the account to the permissions granted by thoseroles.

When you grant an IAM role to a service account, any applicationrunning on an instance that has that service account attached will have theauthorization conferred by that role.

Some things to keep in mind:

  • Some IAM roles are in Beta.

    If there isn't a predefined role for the access level you want, you cancreate and grant custom roles.

  • You must set access scopes on the instance to authorize access.

    While a service account's access level is determined by the rolesgranted to the service account, an instance's access scopes determine thedefault OAuth scopes for requests made through the gcloud CLIand client libraries on the instance. As a result, access scopes potentiallyfurther limit access to API methods when authenticating through OAuth.

Access scopes

Access scopes are the legacy method of specifying authorization for yourVM instance. They define the default OAuth scopes used in requests from thegcloud CLI or the client libraries. Access scopes don't applyfor calls made using gRPC.

Access scopes apply on a per-VM basis and persists only for the life of the VM.You can set access scopes when creating a VM orupdate the access scopeon an existing VM.

Generally, the documentation for each API method lists the scopesrequired for that method. For example, the instances.insert method provides alist of valid scopes in itsauthorizationsection.

Access scopes have no effect if you have not enabled the related API on theproject that the service account belongs to. For example, granting an accessscope for Cloud Storage on a virtual machine instance allows theinstance to call the Cloud Storage API only if you have enabled theCloud Storage API on the project.

Default scopes

When you create a new Compute Engine instance, it is automaticallyconfigured with the following access scopes:

  • Read-only access to Cloud Storage:
    https://www.googleapis.com/auth/devstorage.read_only
  • Write access to write Compute Engine logs:
    https://www.googleapis.com/auth/logging.write
  • Write access to publish metric data to your Google Cloud projects:
    https://www.googleapis.com/auth/monitoring.write
  • Read-only access to Service Management features required for Google CloudEndpoints(Alpha):
    https://www.googleapis.com/auth/service.management.readonly
  • Read or write access to Service Control features required for Google CloudEndpoints(Alpha):
    https://www.googleapis.com/auth/servicecontrol
  • Write access to Cloud Trace allows an application running on aVM to write trace data to a project.
    https://www.googleapis.com/auth/trace.append

Scopes best practice

There are manyaccess scopesavailable to choose from, but a best practice is to set the cloud-platformaccess scope, which is an OAuth scope for Google Cloud services, and thencontrol the service account's access by granting it IAM roles.

https://www.googleapis.com/auth/cloud-platform

Scopes examples

Following the scopes best practice, if you enabled the cloud-platform accessscope on an instance and then granted the followingpredefined IAM roles:

  • roles/compute.instanceAdmin.v1
  • roles/storage.objectViewer
  • roles/compute.networkAdmin

Then the service account has only the permissions included in those three roles.Applications impersonating that service account cannot perform actions outsideof these roles despite the Google Cloud access scope.

On the other hand, if you grant a more restrictive scope on the instance, likethe Cloud Storage read-only scope(https://www.googleapis.com/auth/devstorage.read_only), andset the roles/storage.objectAdmin administrator role on the serviceaccount, then by default, requests from the gcloud CLI and theclient libraries wouldn't be able to manage Cloud Storage objects fromthat instance, even though you granted the service account theroles/storage.ObjectAdmin role. This is because the Cloud Storageread-only scope does not authorize the instance to manipulateCloud Storage data.

Example access scopes include the following:

  • https://www.googleapis.com/auth/cloud-platform. View and manage your dataacross Google Cloud services in the specifiedGoogle Cloud project.
  • https://www.googleapis.com/auth/compute. Full control access toCompute Engine methods.
  • https://www.googleapis.com/auth/compute.readonly. Read-only access toCompute Engine methods.
  • https://www.googleapis.com/auth/devstorage.read_only. Read-only access toCloud Storage.
  • https://www.googleapis.com/auth/logging.write. Write access to theCompute Engine logs.

What's next

  • Authenticate workloads using service accounts.
  • Learn more about creating and managing service accounts.
  • Learn more about IAM.
  • Learn about other Compute Engine access control options.
  • Learn how to view audit logsto monitor how your Compute Engine resources are modified.
  • If you need to use a service account from a different project, read aboutconfiguring service accounts for a resource in a different project.
Service accounts  |  Compute Engine Documentation  |  Google Cloud (2024)

References

Top Articles
Obituaries Archives - Page 3 of 197 - The Martha's Vineyard Times
Martha's Vineyard News | Cape Cod Daily News
Best Pizza Novato
Tryst Utah
Ofw Pinoy Channel Su
Coindraw App
Evil Dead Rise Showtimes Near Massena Movieplex
Comcast Xfinity Outage in Kipton, Ohio
Minn Kota Paws
DIN 41612 - FCI - PDF Catalogs | Technical Documentation
Citymd West 146Th Urgent Care - Nyc Photos
How do you like playing as an antagonist? - Goonstation Forums
Tcgplayer Store
VMware’s Partner Connect Program: an evolution of opportunities
Canvas Nthurston
Billionaire Ken Griffin Doesn’t Like His Portrayal In GameStop Movie ‘Dumb Money,’ So He’s Throwing A Tantrum: Report
Inter-Tech IM-2 Expander/SAMA IM01 Pro
Eine Band wie ein Baum
Juicy Deal D-Art
Gina Wilson All Things Algebra Unit 2 Homework 8
How Taraswrld Leaks Exposed the Dark Side of TikTok Fame
Greensboro sit-in (1960) | History, Summary, Impact, & Facts
Water Temperature Robert Moses
Sandals Travel Agent Login
Mcclendon's Near Me
Srjc.book Store
5 Star Rated Nail Salons Near Me
Craigslist Ludington Michigan
Mgm Virtual Roster Login
Why The Boogeyman Is Rated PG-13
Family Fare Ad Allendale Mi
Shoreone Insurance A.m. Best Rating
Admissions - New York Conservatory for Dramatic Arts
Trivago Myrtle Beach Hotels
How To Upgrade Stamina In Blox Fruits
2023 Fantasy Football Draft Guide: Rankings, cheat sheets and analysis
Silicone Spray Advance Auto
Citizens Bank Park - Clio
Tommy Bahama Restaurant Bar & Store The Woodlands Menu
Trending mods at Kenshi Nexus
Arch Aplin Iii Felony
Playboi Carti Heardle
Wpne Tv Schedule
City Of Irving Tx Jail In-Custody List
Pas Bcbs Prefix
Bradshaw And Range Obituaries
Oak Hill, Blue Owl Lead Record Finastra Private Credit Loan
Concentrix + Webhelp devient Concentrix
Where and How to Watch Sound of Freedom | Angel Studios
Deviantart Rwby
Hcs Smartfind
Latest Posts
Martha's Vineyard is about to run out of pot. That's led to a lawsuit and a scramble by regulators
Cape Cod Obituaries & Death Notices
Article information

Author: Velia Krajcik

Last Updated:

Views: 5987

Rating: 4.3 / 5 (54 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Velia Krajcik

Birthday: 1996-07-27

Address: 520 Balistreri Mount, South Armand, OR 60528

Phone: +466880739437

Job: Future Retail Associate

Hobby: Polo, Scouting, Worldbuilding, Cosplaying, Photography, Rowing, Nordic skating

Introduction: My name is Velia Krajcik, I am a handsome, clean, lucky, gleaming, magnificent, proud, glorious person who loves writing and wants to share my knowledge and understanding with you.