Open in app

Sign in

Write

Sign in

Landing Zone | Service Account & Why Custom Service Account Should be Used Instead of Default Service Account | Best Practices

Introduction on Service Account Introduction on Service Account

Omkar Nadkarni
Niveus Solutions
Published in
3 min readJun 7, 2024

--

Service accounts are programmatic users on GCP which can be used by applications. It provides an identity to the application in the GCP ecosystem and hence can request access to resources through IAM.

IAM service accounts are associated with most of the resources e.g VMS, cloud run, cloud function, GKE via workload identity, cloud build etc.

Usage

  • Service accounts can be used for providing IAM access and also can be used with firewall rules.
  • Service accounts can be used by applications running on VM with ADC, GKE with workload identity, cloud run and cloud function have service account.
  • Also users can impersonate service account to perform such actions provided they have service account IAM user access.

IAM

  • Service accounts can be added to one or more IAM roles.
  • Service accounts are created inside a project.
  • Access to resources can be provided outside of project in another project.

Firewall

Service account can be used as target to provide network flow.

Types

There are different types of service accounts.

  • Default service account:- Default service accounts are created when the relevant API is enabled, for example when compute engine API is enabled the default compute engine service account is created. This service account should not be used.
  • System or Google service account:- They are Google managed service accounts. These accounts are required for Google to create resources in client projects.

Custom service account:- These are service accounts which are created on a requirement basis. These should be used.

Problem statement

When creating a GCP VM, by default the compute engine default service account having editor access is associated with the virtual machine.

Issue

Having basic access to default service account, is meant for a quick start, and testing access for applications on VMs with different GCP resources. Ideally it is a security concern as it doesn’t follow the least privilege model and gives ultimate editor access.

Recommendation

  • Always use a custom service account per application installed on VM, GKE etc.
  • Avoid using default service accounts and remove overly permissive permissions provided to it.
  • For accessing any API, if the application needs a service account. Custom service accounts with relevant access should be provided.
  • API access on VMs should be kept to all and IAM access provided to service accounts should determine what resources it can access.
  • Service account should not have service account key whenever and wherever possible.
  • Service account should have a proper naming convention so it’s easy to identify the usage. With description the owner can be identified.
  • Service account user and creator. access should not be provided to the same team.

Conclusion

Service accounts provide an identity for the application running on GCP and hence should be used wisely by following all best practices. Hope this blog helps and provides the insight on custom service account and its use.

Google Cloud Platform
Gcp
Security
Google
Identity And Access

--

--

Omkar Nadkarni
Niveus Solutions

Written by Omkar Nadkarni

40 Followers
Writer for

Omkar Nadkarni is a principal cloud architect passionate about technology and its impact on business. Has skillset around GCP, azure, AWS, devops and infra.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams