GCPcloud~5 mins

Service accounts for applications in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Applications often need to access Google Cloud resources securely. Service accounts let applications prove who they are and get permission to use these resources without using personal user accounts.

When you want your app to read data from a Google Cloud Storage bucket safely.

When your app needs to write logs to Google Cloud Logging automatically.

When you want to run a virtual machine that accesses a database without sharing your personal login.

When you deploy a cloud function that needs to call other Google Cloud services securely.

When you want to limit what your app can do by giving it only the permissions it needs.

Config File - service-account-policy.json

service-account-policy.json

{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": [
        "serviceAccount:my-app-sa@my-project.iam.gserviceaccount.com"
      ]
    }
  ]
}

This JSON file defines a policy that gives the service account named my-app-sa@my-project.iam.gserviceaccount.com permission to view objects in Google Cloud Storage.

The bindings section links the role roles/storage.objectViewer to the service account member.

Commands

This command creates a new service account named 'my-app-sa' with a friendly display name. This account will represent your application when accessing Google Cloud resources.

Terminal

gcloud iam service-accounts create my-app-sa --display-name "My App Service Account"

Expected OutputExpected

Created service account [my-app-sa].

→

--display-name - Sets a human-readable name for the service account.

This command grants the service account permission to view objects in Cloud Storage by adding a policy binding to the project.

Terminal

gcloud projects add-iam-policy-binding my-project --member="serviceAccount:my-app-sa@my-project.iam.gserviceaccount.com" --role="roles/storage.objectViewer"

Expected OutputExpected

Updated IAM policy for project [my-project].

→

--member - Specifies the service account to grant permissions.

→

--role - Specifies the permission role to assign.

This command creates a private key file for the service account. Your application will use this key to authenticate as the service account.

Terminal

gcloud iam service-accounts keys create my-app-sa-key.json --iam-account=my-app-sa@my-project.iam.gserviceaccount.com

Expected OutputExpected

created key [projects/my-project/serviceAccounts/my-app-sa@my-project.iam.gserviceaccount.com/keys/XXXXXXXXXXXXXXXXXXXX] of service account [my-app-sa@my-project.iam.gserviceaccount.com] to [my-app-sa-key.json]

→

--iam-account - Specifies which service account to create the key for.

This command activates the service account locally using the key file, so you can test commands as that service account.

Terminal

gcloud auth activate-service-account my-app-sa@my-project.iam.gserviceaccount.com --key-file=my-app-sa-key.json

Expected OutputExpected

Activated service account credentials for: [my-app-sa@my-project.iam.gserviceaccount.com]

→

--key-file - Specifies the private key file to use for authentication.

This command lists the active accounts to verify that the service account is now active.

Terminal

gcloud auth list

Expected OutputExpected

Credentialed Accounts: ACTIVE ACCOUNT * my-app-sa@my-project.iam.gserviceaccount.com user@example.com

Key Concept

If you remember nothing else from this pattern, remember: service accounts let your applications securely prove their identity and get only the permissions they need.

Common Mistakes

Using personal user credentials instead of a service account for applications.

This risks exposing personal credentials and does not allow fine-grained permission control for apps.

Always create and use a dedicated service account with only the needed permissions.

Not creating or downloading a service account key file for application authentication.

Without the key file, the application cannot authenticate as the service account.

Use 'gcloud iam service-accounts keys create' to generate and download the key file.

Assigning overly broad roles like owner to the service account.

This gives the app more permissions than needed, increasing security risks.

Assign only the minimum roles required for the app's tasks.

Summary

Create a service account to represent your application.

Grant the service account only the permissions it needs using IAM roles.

Generate and download a key file for the service account to authenticate your app.

Activate the service account locally to test permissions.

Verify the active account to confirm the service account is in use.