Service accounts are special accounts that applications and servers can use to give them access to your Google Cloud Platform resources. You can use them to manage access in your account and for external applications.
For example, if you need to give an app permission to write to a Cloud Storage bucket, you can create a service account, give that account permission to write to the bucket, and then pass in authentication with the private key for that service account. If the app you̵
Create a service account
Go to the IAM & Admin Console and click on “Service Users” in the sidebar. From here you can create a new service account or manage existing ones.
Give the service account a name. The service account uses the
project-id.iam.gserviceaccount.com Domain as e-mail and behave like a normal user when assigning permissions. Click on “Create”.
If you want to assign project-wide permissions that apply to every affected resource, you can do so in the next screen. For example, you can use Viewer to give him read permissions on a project-wide basis or to grant him access to a specific service such as Compute Engine.
On the next screen, you can give existing users access to use or manage the service account.
To grant more granular permissions, you can add the service account to the resources that need to be accessed, such as: For example, to specific Compute Engine instances by adding the account as a new member in the settings for the specified resource. This allows you to grant access to specific resources rather than project-wide permissions.
Use the service account
If you use this internally for other Google Cloud Platform services, you will often be given the option to select the service account. For example, for Compute Engine, under the instance settings, you can specify the service account used by the engine, which is used by default for all CLI requests made by the instance.
If you want to authenticate a service that is not running on Compute Engine or if you do not want to set the service account for the entire instance, you need to create an access key for the service account. You can do this through the service account settings in the IAM console. Click Generate Key and you will be given the option to download a JSON key for the service account.
You can then pass that key to the API by usually setting the option
GOOGLE_APPLICATION_CREDENTIALS Environment variable. These credentials contain the email address and service account ID and are all you need to connect your application to GCP.