What are service accounts in Google Cloud?

As a GCP user, you need an email account that will authenticate and authorize you to access various services across GCP. Similarly, non-human users will have a unique type of Google account called a service account.

What is a non-human account, and why is it used?

Humans use their accounts and authenticate with their credentials. Credentials can be:

  • Username and password.
  • An OAuth token that is allotted through an interactive web session.

This process is entirely dependent on the lifecycle of the user account. The credentials will be valid until the user account is valid in the system. For example, say you have automation jobs or an application that needs programmatic entrance to the service in GCP. The user leaving the organization will stop all the processes since the account will be invalid. For these tasks, we use the service account.

This account can be used for a specific task or by applications built on top of GCP for authentication and authorization purposes. The credentials used by the service account will be in the form of keys, which you can easily rotate. It is much easier to rotate keys belonging to a machine than it is to convince a user for key rotation. Thus, the service accounts help us achieve better security with GCP services.

The service account will always have postfix as gserviceaccount.com.. There are primarily three types of service accounts.

User-managed service account

As the name suggests, users create these accounts. By default, a user can create 100 service accounts. If this doesn’t serve the user’s needs, they can request an increase in the quota. The user also specifies the name as they create the account, which follows the structure below:

service_account_name@project-id.iam.gserviceaccount.com

Google-managed service accounts

Some services require access to your resources in order to act on your behalf. For example, when you use Cloud Run to run a container, the service needs access to any Pub/Sub topics that can trigger the container. To satisfy these needs, we have Google-managed service accounts, which have the following structure:

project_number@cloudservices.gserviceaccount.com

Default service accounts

When you use or enable a Google Cloud Service, default service accounts are created. If the application runs in a Google Cloud environment, users can use these service accounts to access other resources. Alternatively, you can also create a user-managed account for this purpose. The services below create a default service account:

  1. App Engine, and any Google Cloud service that uses App Engine: project_id@appspot.gserviceaccount.com

  2. Compute Engine and any Google Cloud service that uses Compute Engine: project_number_compute@developer.gserviceaccount.com