Service Accounts

Service accounts are special identities designed for applications, VMs, containers, and automated processes — not for humans. They are one of the most important and most frequently misconfigured aspects of GCP IAM.

What Is a Service Account?

A service account is:

An identity (email address) that represents a workload, not a person
Used to authenticate applications to GCP APIs
Managed at the project level
Can have IAM roles granted to it (like a user)
Can also have IAM policies on it (controlling who can use it)

Format: <name>@<project-id>.iam.gserviceaccount.com
Example: api-backend@my-project.iam.gserviceaccount.com

Types of Service Accounts

Type	Created By	Example	Can Delete?
User-managed	You	`my-sa@proj.iam.gserviceaccount.com`	Yes
Default	GCP (when APIs are enabled)	`PROJECT_NUMBER-compute@developer.gserviceaccount.com`	Yes (but not recommended)
Google-managed	Google (internal)	`*@cloudservices.gserviceaccount.com`	No

Default Service Accounts

When you enable the Compute Engine API, GCP creates a default compute service account:

<PROJECT_NUMBER>-compute@developer.gserviceaccount.com

Important: The default compute service account has the roles/editor basic role. This is far too broad for production. Best practice is to:

Service Accounts

Service Accounts

What Is a Service Account?

Types of Service Accounts

Default Service Accounts

More in Cloud