قالب وردپرس درنا توس
Home / Tips and Tricks / How to create and use service accounts in Google Cloud Platform – CloudSavvy IT

How to create and use service accounts in Google Cloud Platform – CloudSavvy IT



Google cloud platform

Service accounts are special accounts that applications and servers can use to give them access to your Google Cloud Platform resources. You can use them to manage access in your account and for external applications.

For example, if you need to give an app permission to write to a Cloud Storage bucket, you can create a service account, give that account permission to write to the bucket, and then pass in authentication with the private key for that service account. If the app you̵

7;re authenticating is on Compute Engine, you can set a service account for the entire instance, which by default applies to everyone gcloud API requests.

Create a service account

Go to the IAM & Admin Console and click on “Service Users” in the sidebar. From here you can create a new service account or manage existing ones.

Create a new service account

Give the service account a name. The service account uses the project-id.iam.gserviceaccount.com Domain as e-mail and behave like a normal user when assigning permissions. Click on “Create”.

Specify a name for the service account

If you want to assign project-wide permissions that apply to every affected resource, you can do so in the next screen. For example, you can use Viewer to give him read permissions on a project-wide basis or to grant him access to a specific service such as Compute Engine.

Add roles for service account

On the next screen, you can give existing users access to use or manage the service account.

Set administrators for the service account

To grant more granular permissions, you can add the service account to the resources that need to be accessed, such as: For example, to specific Compute Engine instances by adding the account as a new member in the settings for the specified resource. This allows you to grant access to specific resources rather than project-wide permissions.

Use the service account

If you use this internally for other Google Cloud Platform services, you will often be given the option to select the service account. For example, for Compute Engine, under the instance settings, you can specify the service account used by the engine, which is used by default for all CLI requests made by the instance.

If you want to authenticate a service that is not running on Compute Engine or if you do not want to set the service account for the entire instance, you need to create an access key for the service account. You can do this through the service account settings in the IAM console. Click Generate Key and you will be given the option to download a JSON key for the service account.

create new key

You can then pass that key to the API by usually setting the option GOOGLE_APPLICATION_CREDENTIALS Environment variable. These credentials contain the email address and service account ID and are all you need to connect your application to GCP.


Source link