GCP Service Accounts – Additional Use Cases
Service accounts are extremely useful in GCP - in calling service APIs - both via custom or default Service Accounts. (Also read Service Accounts in GCP Overview and Custom versus Default Service Accounts)
Here are three more scenarios where service accounts come in handy.
Google Workspace / G Suite Wide Delegation
In Google Workspace domains, the domain administrator can grant third-party applications with domain-wide access to its users' data — this is referred as domain-wide delegation of authority.
To delegate authority this way, domain administrators can use service accounts with OAuth 2.0.
To perform actions on accounts in G Suite by a software application requires using a service account and delegation: Perform G Suite Domain-Wide Delegation of Authority
Short Term Access Tokens:
To create short-lived access tokens normally uses delegation (think AWS STS): Delegated request permissions
Data Signing using Service Accounts:
Use a service account private key to sign data. This requires SA delegation (called SA impersonation)
Summary
In addition to invoking service APIs, some additional uses of service accounts are presented here. Although these are also implemented via API calls, they deserve their own categorization - as the use cases are very specific and well defined.
Leave a Reply