Google Cloud Service Accounts: In Practice


Identity & Access Management
Cloud IAM
1m 37s
Start course


NOTICE: This course is deprecated and has been replaced by


Security is considered to be one of the biggest challenges when comparing cloud vs. in-house infrastructure. Due to lack of trust, loss of control, and the multi-tenant nature of the cloud, security controls and mechanisms are of the utmost importance.

Google Cloud Platform offers tools with a single dashboard and simple interfaces to implement security policies. Google Cloud Identity and Access Management (IAM) provides an easy way to manage GCP users and the permissions assigned to them. Besides human users, GCP provides a way to create non-human identities (service accounts) and attach those to cloud applications and VMs. The correct configuration and usage of service accounts and IAM are critical to GCP security. GCP also provides a centralized dashboard to view audit logs, which are useful in the case of a security breach.

To help you get the most out of the security tools offered in Google Cloud, this course covers how to properly manage IAM, service accounts, and audit logs.

Learning Objectives

  • Understand how cloud security differs from on-premises security
  • Configure identities and access levels in Google Cloud Platform using Cloud IAM
  • Create, manage, and assign service accounts to GCP VMs 
  • View audit logs in the GCP console

Intended Audience

  • Students preparing for GCP cloud certifications
  • Cloud administrators and IT professionals
  • Cloud security practitioners
  • GCP developers


  • Completion of Google Cloud Platform Fundamentals course on Cloud Academy or practical working experience with GCP infrastructure
  • Basic proficiency with command-line tools and Linux operating system environments

Now I'll show how we can manage service accounts from the GCP console, and how we can associate them with virtual machines. First, go to the IAM & admin page. Then click on Service accounts. As you can see here, I have a default service account for a Compute Engine which was automatically created in this project. This is the service account which, by default, GCP uses when launching a VM. 

To create a new service account, all I need to do is click on CREATE SERVICE ACCOUNT. There are two steps. First you create the service account without giving it any permissions. I'll give it a name here. As you can see when I'm typing this, this also gets a service account ID, which looks like an email address. Now I'll add a description and then click CREATE. The second step is to give the service account permissions. For instance, in this case, I want to give this service account specific permissions related to storage. I'll give it read access to cloud storage objects.

Create key is an optional process that we're not going to do right now, but it gives you the ability to add a private key that's associated with the identity of this service account. 

Now that we've created it, let's see how we can use it. Let's go to Compute Engine and try to create and launch a VM. Let's call this instance cloudsecurity-demo1, and then you'll see that it has this Compute Engine default service account associated with it. But we can change it to another service account if we want. In our case, we're going to change it to the service account we just created. 

Now we'll create the VM. So the VM is coming up. Once the VM is up and running we can still change the service account associated with it if we want. To do that, we need to stop the VM, change its service account, and then restart the VM. I'm just waiting for the VM to come up. Now that this VM is up, if we want to change the service account, we need to stop it first. It'll take a little while to stop, but once it is stopped you can edit the VM and change the service account associated with it. I can't change it if the VM is still running. So let's wait for the VM to stop. 

An important point to understand is that a service account can be treated as both an identity and a resource. So for example, when we're launching a Compute Engine VM with a particular service account, that service account is an identity that can be given specific roles, such as storage viewer, but at the same time, since the service account is a resource, you can give users access to the service account in IAM, which gives them the ability to impersonate that service account. That will give them all of the permissions that the service account has. 

The VM is still shutting down. So I'll fast-forward. There, now that the VM is shut down, we should be able to modify the service account that's associated with it. So I'll click EDIT, and down here we can change it back to the Compute Engine default service account. Click on Save, and then it should be able to save the instance metadata. 

Then we can start the VM again, and it should have a new service account associated with it. One of the cool things you can do with service accounts is to use them across projects. For example, you can use this service account, to access resources in project B from a VM in project A. Let's see how we can use the service account that we created just now, to access resources in a different project. 

We created a service account called cloudacademy-serviceaccount-demo. Now I'm going to use it to access resources in a different project. To do that I need to copy this service account ID and switch to another project I created called Cloudacademy-demo-SA. Now, I need to make that service account a member of this project. So, I've added this service account and now I'm going to assign a role. I'm going to make it, let's say, a project viewer for this particular project. So, now a VM in project A, which was where we created the service account, should be able to view the resources in this project because this service account is now a viewer in this project. 

So this is how you can use a service account to allow a VM in one project to access resources in another project. This concludes our lecture on managing service accounts. Coming up in our next lecture, we'll discuss audit logs.

About the Author

Abhishek Gupta has 10+ years of experience in the domain of high-performance computing, cloud, and security. Currently, he's leading an innovation team at the Schlumberger Software Technology Innovation Center and is also a visiting faculty member at Santa Clara University where he teaches a graduate course in cloud computing. Gupta has a Ph.D. in Computer Science from the University of Illinois at Urbana Champaign.