Create a VM that uses a user-managed service account


This document explains how to create a virtual machine (VM) instance that is configured to use a user-managed service account. A service account is a special kind of account typically used by an application or compute workload to make authorized API calls.

Service accounts are needed for scenarios where a workload, such as a custom application, needs to access Google Cloud resources or perform actions without end-user involvement. For more information about when to use service accounts, see Best practices for using service accounts.

If you have applications that need to make calls to Google Cloud APIs, Google recommends that you attach a user-managed service account to the VM on which the application or workload is running. Then, you grant the service account IAM roles, which gives the service account–and, by extension, applications running on the VM–access to Google Cloud resources.

Before you begin

  • If you haven't already, set up authentication. Authentication is the process by which your identity is verified for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine as follows.

    Select the tab for how you plan to use the samples on this page:

    Console

    When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.

    gcloud

    1. Install the Google Cloud CLI, then initialize it by running the following command:

      gcloud init
    2. Set a default region and zone.

    Terraform

    To use the Terraform samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

    1. Install the Google Cloud CLI.
    2. To initialize the gcloud CLI, run the following command:

      gcloud init
    3. If you're using a local shell, then create local authentication credentials for your user account:

      gcloud auth application-default login

      You don't need to do this if you're using Cloud Shell.

    For more information, see Set up authentication for a local development environment.

    REST

    To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.

      Install the Google Cloud CLI, then initialize it by running the following command:

      gcloud init

    For more information, see Authenticate for using REST in the Google Cloud authentication documentation.

Required roles

To get the permissions that you need to create VMs that use service accounts, ask your administrator to grant you the following IAM roles on the project:

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to create VMs that use service accounts. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to create VMs that use service accounts:

  • To create service accounts: All the permissions in the serviceAccountCreator role
  • To create VMs:
    • compute.instances.create on the project
    • To use a custom image to create the VM: compute.images.useReadOnly on the image
    • To use a snapshot to create the VM: compute.snapshots.useReadOnly on the snapshot
    • To use an instance template to create the VM: compute.instanceTemplates.useReadOnly on the instance template
    • To assign a legacy network to the VM: compute.networks.use on the project
    • To specify a static IP address for the VM: compute.addresses.use on the project
    • To assign an external IP address to the VM when using a legacy network: compute.networks.useExternalIp on the project
    • To specify a subnet for the VM: compute.subnetworks.use on the project or on the chosen subnet
    • To assign an external IP address to the VM when using a VPC network: compute.subnetworks.useExternalIp on the project or on the chosen subnet
    • To set VM instance metadata for the VM: compute.instances.setMetadata on the project
    • To set tags for the VM: compute.instances.setTags on the VM
    • To set labels for the VM: compute.instances.setLabels on the VM
    • To set a service account for the VM to use: compute.instances.setServiceAccount on the VM
    • To create a new disk for the VM: compute.disks.create on the project
    • To attach an existing disk in read-only or read-write mode: compute.disks.use on the disk
    • To attach an existing disk in read-only mode: compute.disks.useReadOnly on the disk

You might also be able to get these permissions with custom roles or other predefined roles.

Overview

It is recommended that you configure service accounts for your VMs as follows:

  1. Create a new user-managed service account rather than using the Compute Engine default service account, and grant IAM roles to that service account for only the resources and operations that it needs.
  2. Attach the service account to your VM.
  3. Set the cloud platform (https://www.googleapis.com/auth/cloud-platform) scope on your VM. This allows the VM's service account to call the Google Cloud APIs that it has permission to use.
    • If you specify the service account by using the Google Cloud console, the VM's access scope automatically defaults to the cloud-platform scope.
    • If you specify the service account by using the Google Cloud CLI or Compute Engine API, you can use the scopes parameter to set the access scope.

Set up a service account

Create a service account and assign the required IAM roles. Assign as many or as little IAM roles as needed. You can modify the IAM roles on your service account as needed.

Google recommends that you limit the privileges of service accounts and regularly check your service account permissions to make sure they are up-to-date.

Use one of the following methods to set up the service account.

Console

    In the Google Cloud console, go to the Create service account page.

    Go to Create service account
  1. Select your project.
  2. In the Service account name field, enter a name. The Google Cloud console fills in the Service account ID field based on this name.

    In the Service account description field, enter a description. For example, Service account for quickstart.

  3. Click Create and continue.
  4. Grant the required roles to the service account.

    To grant a role, find the Select a role list, then select the role.

    To grant additional roles, click Add another role and add each additional role.

  5. Click Continue.
  6. In the Service account users role field, enter the identifier for the principal that will attach the service account to other resources, such as Compute Engine instances.

    This is typically the email address for a Google Account.

  7. Click Done to finish creating the service account.

gcloud

    Set up authentication:

    1. Create the service account:

      gcloud iam service-accounts create SERVICE_ACCOUNT_NAME

      Replace SERVICE_ACCOUNT_NAME with a name for the service account.

    2. To provide access to your project and your resources, grant a role to the service account:

      gcloud projects add-iam-policy-binding PROJECT_ID --member="serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com" --role=ROLE

      Replace the following:

      • SERVICE_ACCOUNT_NAME: the name of the service account
      • PROJECT_ID: the project ID where you created the service account
      • ROLE: the role to grant
    3. To grant another role to the service account, run the command as you did in the previous step.
    4. Grant the required role to the principal that will attach the service account to other resources.

      gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com --member="user:USER_EMAIL" --role=roles/iam.serviceAccountUser

      Replace the following:

      • SERVICE_ACCOUNT_NAME: the name of the service account
      • PROJECT_ID: the project ID where you created the service account
      • USER_EMAIL: the email address for a Google Account

Terraform

To create a service account, you can use the google_service_account resource.

resource "google_service_account" "default" {
  account_id   = "service-account-id"
  display_name = "Service Account"
}

Remember to replace the placeholder values for the account_id and the display_name attributes.

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

Create a VM and attach the service account

After you create the service account, create a VM and attach the service account that you created in the previous section. Also set the VM's access scope to cloud-platform.

If you already have an existing VM and you want to configure that VM to use a different service account, see Change the attached service account.

Use one of the following methods to create a VM and attach the service account.

Console

  1. In the Google Cloud console, go to the VM instances page.

Go to VM instances

  1. Select your project and click Continue.
  2. Click Create instance.
  3. Specify a Name for your VM.
  4. Go to the Identity and API access section.
  5. In the Service account list, select the service account that you created. When you attach a service account to a VM, the Google Cloud access scope cloud-platform access scope is automatically set on the VM.
  6. Make additional VM customizations, as needed.
  7. To create and start the VM, click Create.

gcloud

To create a new VM instance and configure it to use a custom service account by using the Google Cloud CLI, use the gcloud compute instances create command and provide the service account email and the cloud-platform access scope to the VM instance.

gcloud compute instances create VM_NAME \
    --service-account=SERVICE_ACCOUNT_EMAIL \
    --scopes=https://www.googleapis.com/auth/cloud-platform

Replace the following:

  • SERVICE_ACCOUNT_EMAIL: the email address for the service account that you created. For example: my-sa-123@my-project-123.iam.gserviceaccount.com. To view the email address, see Listing service accounts.
  • VM_NAME: the name of the VM instance.

For example:

gcloud compute instances create example-vm \
    --service-account 123-my-sa@my-project-123.iam.gserviceaccount.com \
    --scopes=https://www.googleapis.com/auth/cloud-platform

You can also specify the scope using the alias: --scopes=cloud-platform. These aliases are recognized only by the gcloud CLI. The API and other libraries don't recognize these aliases, so you must specify the full scope URI.

Terraform

To set up a new VM to use a service account, you can use the google_compute_instance resource.

resource "google_compute_instance" "default" {
  name         = "my-test-vm"
  machine_type = "n1-standard-1"
  zone         = "us-central1-a"

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-11"
    }
  }

  // Local SSD disk
  scratch_disk {
    interface = "SCSI"
  }

  network_interface {
    network = "default"

    access_config {
      // Ephemeral public IP
    }
  }

  service_account {
    # Google recommends custom service accounts with `cloud-platform` scope with
    # specific permissions granted via IAM Roles.
    # This approach lets you avoid embedding secret keys or user credentials
    # in your instance, image, or app code
    email  = google_service_account.default.email
    scopes = ["cloud-platform"]
  }
}

REST

Use the instances.insert method to create the VM and specify the service account email and access scope for the VM instance.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances

{
   "machineType":"zones/MACHINE_TYPE_ZONE/machineTypes/MACHINE_TYPE",
   "name":"VM_NAME",
   
   "disks":[
      {
         "initializeParams":{
            "sourceImage":"projects/IMAGE_PROJECT/global/images/IMAGE"
         },
         "boot":true
      }
   ],
   
   
   "networkInterfaces":[
      {
         "network":"global/networks/NETWORK_NAME"
      }
   ],
   
  "serviceAccounts": [
      {
      "email": "SERVICE_ACCOUNT_EMAIL",
      "scopes": ["https://www.googleapis.com/auth/cloud-platform"]
      }
   ],
   "shieldedInstanceConfig":{
      "enableSecureBoot":"ENABLE_SECURE_BOOT"
   }
}

Replace the following:

  • PROJECT_ID: ID of the project to create the VM in
  • ZONE: zone to create the VM in
  • MACHINE_TYPE_ZONE: zone containing the machine type to use for the new VM
  • MACHINE_TYPE: machine type, predefined or custom, for the new VM
  • VM_NAME: name of the new VM
  • IMAGE_PROJECT: project containing the image
    For example, if you specify debian-10 as the image family, specify debian-cloud as the image project.
  • IMAGE or IMAGE_FAMILY: specify one of the following:
    • IMAGE: a specific version of a public image
      For example, "sourceImage": "projects/debian-cloud/global/images/debian-10-buster-v20200309"
    • IMAGE_FAMILY: an image family
      This creates the VM from the most recent, non-deprecated OS image. For example, if you specify "sourceImage": "projects/debian-cloud/global/images/family/debian-10", Compute Engine creates a VM from the latest version of the OS image in the Debian 10 image family.
  • NETWORK_NAME: the VPC network that you want to use for the VM. You can specify default to use your default network.
  • SERVICE_ACCOUNT_EMAIL: the email address for the service account that you created. For example: my-sa-123@my-project-123.iam.gserviceaccount.com. To view the email address, see obtain a service account email.
  • ENABLE_SECURE_BOOT: Optional: If you chose an image that supports Shielded VM features, Compute Engine, by default, enables the virtual trusted platform module (vTPM) and integrity monitoring. Compute Engine does not enable Secure Boot by default.

    If you specify true for enableSecureBoot, Compute Engine creates a VM with all three Shielded VM features enabled. After Compute Engine starts your VM, to modify Shielded VM options, you must stop the VM.

Access and use other Google Cloud services

After your VM is configured to use the service account, applications can then use the service account to authenticate. The most common method is to authenticate by using Application Default Credentials and a client library. Some Google Cloud tools such as the gcloud CLI are able to automatically use the service account to access Google Cloud APIs from a VM. For more information, see Authenticate workloads using service accounts.

If a service account is deleted, applications will no longer have access to Google Cloud resources through that service account. If you delete the default App Engine and Compute Engine service accounts, your VMs will no longer have access to resources in the project. If you're not sure whether a service account is being used, Google recommends disabling the service account before deleting it. Disabled service accounts can be re-enabled if they are still needed.

Example: Access Cloud Storage resources from your VM

After you have configured your VM to use a service account that has the storage.admin role, you can use tools such as the gcloud CLI to manage files that you have stored on Cloud Storage. To access your Cloud Storage resources, complete the following:

  1. Ensure that the service account that is attached to your VM has the roles/storage.admin role.

  2. If your VM uses a custom OS image, install the gcloud CLI. By default, the gcloud CLI is installed on most public OS images that are provided by Google Cloud.

  3. Connect to the VM.

  4. From the VM, use the Google Cloud CLI to manage your Cloud Storage resources.

What's next?