Default Service Accounts versus Custom Service Accounts – GCP
What are default service accounts?
Default Service Accounts are used by GCP - and are not modifiable. In fact, you would not see them listed in the IAM-->Service Accounts menu.
A Service Account belongs to an application or a VM. Applications assume the identity of the SA to call Google APIs.
What roles do I grant to a user who needs to use the Service Account?
Assign the human user the service account (through the IAM menu). In addition, whatever service the service account is created for (e.g. Compute Engine) - that service's admin / create access will need to be granted to the user as well.
Summary
Custom Service accounts are to be used as often as needed. They allow a company to follow the principle of least access.
Leave a Reply