[Google Cloud] IAM – Service Accounts

Posted on October 1, 2017 by swinful

Google Cloud Service Accounts:

Service accounts are accounts used for the sole purpose of running your application. Some may also refer to this as the application processing identifier. Google uses the term service account. To identify a service account an email identifier is typically used. The email address used for a service account is an Identity & Access Management (IAM) account used as an identifier for reference purposes.

Here we use the command-line to create a new service account called: gdev1sa to represent the first development service account for our project. There is a tight coupling between the command-line console and web interface. Almost instantaneously when the service account is created via command-line it is also reflected in the Web GUI. For example as can be seen below our Services Accounts page only contains the default Compute Engine service account:

Screen Shot 2017-10-01 at 12.20.47 PM.png

Likewise, we see the same output via command-line:

~ gcloud iam service-accounts list


NAME EMAIL
Compute Engine default service account; 637540065038-compute@developer.gserviceaccount.com

Create Service Account via Command-Line

~ gcloud iam service-accounts create gdev1sa --display-name "Primary Development Service Account"

Created service account [gdev1sa].

Likewise, after refreshing the Web Console we see the account creation reflected here as well (2nd row):

Screen Shot 2017-10-01 at 12.49.22 PM.png

By default when created each service account will not have its key pair created.

Service Account Keys

Service account keys are private / public key pairs unique to each service account. By default when a service account is created the service account has its own internal key pair used for service-to-service authentication within GCP that are also managed by GCP. With the default internal keys you do not have to worry about management tasks such as key rotation or misplacing them. The keys are exclusively managed within GCP. However, external keys can be created and downloaded after they are generated within GCP. As of this writing there are two types of external private keys: json and the older p12  format.

Create External Service Account Keys

Via command line… Note you need to specify the internal email identifier we spoke of earlier to reference the service account when create the private key. How will GCP know which private key to create? Good question! By default all private keys are created using the .json format unless .p12 is otherwise specified via the option: –key-file-type=p12

gcloud iam service-accounts keys create gdev1sa.json --iam-account=gdev1sa@project-good.iam.gserviceaccount.com
created key [0821b6693b9c974b466474c51a974a1405f530c5] of type [json] as [gdev1sa.json] for [gdev1sa@project-good.iam.gserviceaccount.com]

 

This entry was posted in Google. Bookmark the permalink.

Leave a comment