When you interact with your Google Cloud services via the console, you use your user account, which is connected to your Google workspace domain.
By default, your user account has full permission. Hence, you can do anything and everything possible on your GCP project using the account.
When interacting with cloud services via applications, you should not use your user account. Rather, create a service account and interact via the service account.
In this article, we will learn about service accounts, and how to create and manage one.
A service account is a special kind of account used by an application, rather than a person. It is identified by a unique email address.
For example, a service account can be attached to your local machine or even a virtual machine, and all applications running on it are authenticated to interact with the cloud services via the service account.
There are two types of service accounts;
- User-managed service accounts: These are created using any of the IAM API, the Google Cloud console, or the Google Cloud CLI. Users are responsible for managing these service accounts.
- Default service accounts: These are user-managed service accounts that are created automatically when some Google Cloud services are enabled and used. You can create a user-managed service account and use it alternatively.
Create a Service Account
Before you proceed;
Step 1
From your project home, navigate to the IAM and admin page.
Notice the user account with the Owner role
Step 2
Expand the sidebar and click on service accounts
Click on Create Service Account
Step 3
Enter a name for your service account. You can change the service account ID and description if you want.
Click DONE
There, we have our service account.
Create Service Account Key
The service account key provides a way to authenticate applications when accessing Google Cloud resources. The key impersonates the associated service account when accessing the Google Cloud.
Let’s create a service account key.
- Click the email address of the service account you just created.
- From the KEYS tab, click the ADD KEY drop down and click Create new key.
- Select the JSON key type and click create
The JSON credential file is downloaded to your computer. Note that it can only be downloaded once. If the file is lost, you will have to create another service account.
You can rename, copy or move the file however you want.
For use on your local machine, save the file in a secure folder, and note the file path. For use on a virtual machine, you will have to move the file to the VM. Learn more here.
Now, you use the service account for your application, you need to point the Google Cloud API to the credential file by setting the environment variable GOOGLE_APPLICATION_CREDENTIALS to the path of the JSON file using the command below.
For Linux or macOS:
export GOOGLE_APPLICATION_CREDENTIALS="<path_to_your_json_file>"For PowerShell:
$env:GOOGLE_APPLICATION_CREDENTIALS="<path_to_your_json_file>"For Command prompt:
set GOOGLE_APPLICATION_CREDENTIALS=<path_to_your_json_file>Note that this variable only applies to your current terminal session, so if you restart the VM or shell session, you must set the variable again.
Check this out to learn how to set the variable permanently
Manage Service Account
Now that we have our service account and service account key set up, we can provide restricted access to google cloud resources for our applications.
For now, the service account we created has no permission to access any cloud resource. This is intentional.
If you knew what permissions your service account would need before creating it, you can add the permissions in Step 3 of creating the service account above.
It is standard practice to provide the barest minimum permission needed for your application to run. This is for security reasons. In our case, that means no permission at all.
Now that we are ready to give permissions to the service account, we need to know what access the application needs.
Suppose our application needs to create and manage Compute Engines on the Google Cloud Platform, we will need the Compute Admin role. Let’s head over to the console to grant this permission.
- Note your service account name
- Navigate to the IAM home page
- Click on GRANT ACCESS
- Start typing your service account name in the new principals form. Your service account name will appear. Click on it to select it.
- In the Role menu, scroll and find Compute Engine. In the Roles under it, select Compute Admin. This gives you full control of all Compute Engine resources.
- Click Save
Your new principal will appear. Principals are accounts with one or more permissions to resources in your project.
Hover on the icon next to it to view the type. It shows “User” for your google account and “Service account” for your service account.
To add more roles to your service account, click on the little pen icon to the right. Remember to grant as little permission as possible for security reasons.
There you go. Your application can now create and manage compute engines using the service account you just created.
In the next article, we will create a simple application to create and manage compute engine using our service account.
To learn more;
- https://cloud.google.com/iam/docs/service-accounts
- https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating
- https://cloud.google.com/iam/docs/creating-managing-service-accounts#iam-service-accounts-list-console
- https://cloud.google.com/iam/docs/granting-changing-revoking-access#iam-view-access-console
- https://cloud.google.com/docs/authentication#service-accounts
