قالب وردپرس درنا توس
Home / Tips and Tricks / How to create and use service accounts in Google Cloud Platform – CloudSavvy IT

How to create and use service accounts in Google Cloud Platform – CloudSavvy IT



google cloud platform

Service accounts are special accounts that can be used by applications and servers to give them access to your Google Cloud Platform resources. You can use them to manage access within your account and for external applications.

For example, if you need to give an app permission to write to a Cloud Storage bucket, you can create a service account, authorize that account to write to the bucket, and then send authentication with the private key for that service account. If the app you are authenticating is on Compute Engine, you can set up a service account for the entire instance, which will apply by default to all gcloud API requests.

Create a service account

Go to the IAM & Admin Console and click on “Service Users”

; in the sidebar. From here you can create a new service account or manage existing ones.

create a new service account

Give the service account a name. The service account uses project-id.iam.gserviceaccount.com domain as email, and act as a regular user when assigning permissions. Click “Create”.

enter service account name

If you want to assign project-wide permissions, which will apply to all relevant resources, you can do so from the next screen. For example, you can grant it read permissions throughout the project with “Viewer” or grant access to a specific service such as Compute Engine.

add roles to the service account

On the next screen, you can give existing users access to use or manage the service account.

set up administrators for the service account

To provide more detailed permissions, you can add the service account to the resources it needs to access, such as specific Compute Engine instances, by adding the account as a new member in the “Permissions” settings for the specified resource. This way, you can provide access to specific resources, rather than project-wide permissions.

Use the service account

If you use internally for other Google Cloud Platform services, you will often have an option to choose the service account. For example, for Compute Engine, under the instance settings, you can set the service account that the engine uses, which will be used by default for all CLI requests coming from the instance.

To authenticate a service that is not running on the Compute Engine or does not want to set up the service account for the entire instance, you must create an access key for the service account. You can do this from the service account settings in the IAM console. click on “Create key” and you will have the opportunity to download a JSON key for the service account.

create new key

Then you can send the key to the API, usually by setting GOOGLE_APPLICATION_CREDENTIALS environmental factor. This reference contains the email address and ID of the service account and is all you need to create a connection between your application and GCP.


Source link