Run a VM as a service account
Stay organized with collections
Save and categorize content based on your preferences.
Assign a service account for a VM, add access scopes, and set up the VM to run as a service account.
Explore further
For detailed documentation that includes this code sample, see the following:
Code sample
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],[],[[["\u003cp\u003eThis code sample demonstrates how to configure a Google Compute Engine VM to use a service account.\u003c/p\u003e\n"],["\u003cp\u003eThe configuration includes assigning a specific email to the service account and setting the scope to \u003ccode\u003ecloud-platform\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eIt utilizes Terraform to define the VM resource, including specifications for the boot disk, local SSD, and network interface.\u003c/p\u003e\n"],["\u003cp\u003eThe example showcases the recommended best practice of using a custom service account with specific permissions granted via IAM Roles to enhance security.\u003c/p\u003e\n"]]],[],null,["# Run a VM as a service account\n\nAssign a service account for a VM, add access scopes, and set up the VM to run as a service account.\n\nExplore further\n---------------\n\n\nFor detailed documentation that includes this code sample, see the following:\n\n- [Create a VM that uses a user-managed service account](/compute/docs/access/create-enable-service-accounts-for-instances)\n\nCode sample\n-----------\n\n### Terraform\n\n\nTo learn how to apply or remove a Terraform configuration, see\n[Basic Terraform commands](/docs/terraform/basic-commands).\n\n\nFor more information, see the\n[Terraform provider reference documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs).\n\n resource \"google_compute_instance\" \"default\" {\n name = \"my-test-vm\"\n machine_type = \"n1-standard-1\"\n zone = \"us-central1-a\"\n\n boot_disk {\n initialize_params {\n image = \"debian-cloud/debian-11\"\n }\n }\n\n // Local SSD disk\n scratch_disk {\n interface = \"SCSI\"\n }\n\n network_interface {\n network = \"default\"\n\n access_config {\n // Ephemeral public IP\n }\n }\n\n service_account {\n # Google recommends custom service accounts with `cloud-platform` scope with\n # specific permissions granted via IAM Roles.\n # This approach lets you avoid embedding secret keys or user credentials\n # in your instance, image, or app code\n email = google_service_account.default.email\n scopes = [\"cloud-platform\"]\n }\n }\n\nWhat's next\n-----------\n\n\nTo search and filter code samples for other Google Cloud products, see the\n[Google Cloud sample browser](/docs/samples?product=compute)."]]
