Custom Service Account versus Default Service Accounts in GCP

Both are programmatic service accounts. In both, you select the list of APIs that the account can access.

However, in a custom service account, this is done via role assignment (e.g. bigquery admin role allows calling the bigquery admin api).

For a default service account, this selection of APIs is done during the actual RESOURCE creation. When you pick the default service account for the resource, you get presented with 'APIs allowed to access'. And this is where you would select what the default SA is allowed to invoke.

 

Custom Service Account versus Default Service Accounts