Authenticate workloads using service accounts

This page describes how to use service accounts to enable apps running on your virtual machine (VM) instances to authenticate to Google Cloud APIs and authorize access to resources.

For more information about how Compute Engine uses service accounts, see the service accounts overview.

Before you begin

• If you want to use the command-line examples in this guide, do the following:
  1. Install or update to the latest version of the Google Cloud CLI.
  2. Set a default region and zone.
• If you want to use the API examples in this guide, set up API access.
• Read the Service accounts overview.

Creating a new service account

You can create and set up a new service account using IAM. After creating an account, grant the account one or more IAM roles, and then authorize a virtual machine instance to run as that service account.

resource "google_service_account" "default" {
  account_id   = "service-account-id"
  display_name = "Service Account"
}

Setting up a new instance to run as a service account

After creating a new service account, you can create new virtual machine instances to run as the service account. If the service account is in a different project than the instances, you must configure the service account for a resource in a different project.

If you want to assign or change a service account for an existing instance, see Changing the service account and access scopes for an instance instead.

You can enable multiple virtual machine instances to use the same service account, but a virtual machine instance can only have one service account identity. If you assign the same service account to multiple virtual machine instances, any subsequent changes you make to the service account will affect instances using the service account. This includes any changes you make to the IAM roles granted to the service account. For example, if you remove a role, all instances using the service account will lose permissions granted by that role.

Generally, you can just set the cloud-platform access scope to allow access to most of the Cloud APIs, then grant the service account only relevant IAM roles. The combination of access scopes granted to the virtual machine instance and the IAM roles granted to the service account determines the amount of access the service account has for that instance. The service account can execute API methods only if they are allowed by both the access scope and its IAM roles.

Alternatively, you can choose to set specific scopes that permit access to the particular API methods that the service will call. For example, to call the instances.insert method requires authorization with either the https://www.googleapis.com/auth/compute scope or the https://www.googleapis.com/auth/cloud-platform scope as well as an IAM role that grants access to that method. You could set the compute scope in place of the cloud-platform scope, which would give the service access to call methods in Compute Engine but no access to call API methods outside of Compute Engine.

You can set up a new instance to run as a service account through the Google Cloud console, the Google Cloud CLI, or directly through the API.

gcloud compute instances create [INSTANCE_NAME] \
    --service-account [SERVICE_ACCOUNT_EMAIL] \
    --scopes [SCOPES,...]

gcloud compute instances create example-vm \
    --service-account 123-my-sa@my-project-123.iam.gserviceaccount.com \
    --scopes https://www.googleapis.com/auth/cloud-platform

gcloud compute instances create --help

gcloud compute instances create [INSTANCE_NAME] \
    --service-account [SERVICE_ACCOUNT_EMAIL] \
    --scopes cloud-platform

resource "google_compute_instance" "default" {
  name         = "my-test-vm"
  machine_type = "n1-standard-1"
  zone         = "us-central1-a"

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-11"
    }
  }

  // Local SSD disk
  scratch_disk {
    interface = "SCSI"
  }

  network_interface {
    network = "default"

    access_config {
      // Ephemeral public IP
    }
  }

  service_account {
    # Google recommends custom service accounts with `cloud-platform` scope with
    # specific permissions granted via IAM Roles.
    # This approach lets you avoid embedding secret keys or user credentials
    # in your instance, image, or app code
    email  = google_service_account.default.email
    scopes = ["cloud-platform"]
  }
}

POST https://compute.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/[ZONE]/instances

{
  "machineType": "https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/[ZONE]/machineTypes/[MACHINE_TYPE]",
  "name": "[INSTANCE_NAME]",
  "serviceAccounts": [
   {
    "email": "[SERVICE_ACCOUNT_EMAIL]",
    "scopes": ["https://www.googleapis.com/auth/cloud-platform"]
   }
  ],
  ...
}

After you have set up an instance to run as the service account, an application running on the instance can use one of the following methods for authentication:

• For most applications, choose one of the following:
  • Use Application Default Credentials and a client library
  • Use gcloud and gsutil commands
• For applications that require an OAuth2 access token, request and use access tokens directly from the metadata server

Authenticating applications using service account credentials

After setting up an instance to run as a service account, you can use service account credentials to authenticate applications running on the instance.

Authenticating applications with a client library

Client libraries can use Application Default Credentials to authenticate with Google APIs and send requests to those APIs. Application Default Credentials lets applications automatically obtain credentials from multiple sources so you can test your application locally and then deploy it to a Compute Engine instance without changing the application code.

For information about setting up Application Default Credentials, see Provide credentials to Application Default Credentials.

This example uses the Python client library to authenticate and make a request to the Cloud Storage API to list the buckets in a project. The example uses the following procedure:

1. Obtain the necessary authentication credentials for the Cloud Storage API and initialize the Cloud Storage service with the build() method and the credentials.
2. List buckets in Cloud Storage.

You can run this sample on an instance that has access to manage buckets in Cloud Storage.

import argparse
from typing import Dict

import googleapiclient.discovery


def create_service() -> googleapiclient.discovery.Resource:
    """Construct the service object for interacting with the Cloud Storage API -
    the 'storage' service, at version 'v1'.
    Authentication is provided by application default credentials.
    When running locally, these are available after running
    `gcloud auth application-default login`. When running on Compute Engine,
    these are available from the environment."""
    return googleapiclient.discovery.build("storage", "v1")


def list_buckets(service: googleapiclient.discovery.Resource, project_id: str) -> Dict:
    """List buckets in Cloud Storage"""
    return service.buckets().list(project=project_id).execute()


def main(project_id: str) -> None:
    service = create_service()
    buckets = list_buckets(service, project_id)
    print(buckets)


if __name__ == "__main__":
    parser = argparse.ArgumentParser(
        description=__doc__, formatter_class=argparse.RawDescriptionHelpFormatter
    )
    parser.add_argument("project_id", help="Your Google Cloud Project ID.")

    args = parser.parse_args()

    main(args.project_id)

Authenticating applications directly with access tokens

For most applications, you can authenticate by using Application Default Credentials, which finds credentials and manages tokens for you. However, if your application requires you to provide an OAuth2 access token, Compute Engine lets you get an access token from its metadata server for use in your application.

There are several options for obtaining and using these access tokens to authenticate your applications. For example, you can use curl to create a simple request, or use a programming language like Python for more flexibility.

import argparse
from typing import Dict

import requests


METADATA_URL = "http://metadata.google.internal/computeMetadata/v1/"
METADATA_HEADERS = {"Metadata-Flavor": "Google"}
SERVICE_ACCOUNT = "default"


def get_access_token() -> str:
    """Get an access token from the metadata server"""
    url = f"{METADATA_URL}instance/service-accounts/{SERVICE_ACCOUNT}/token"

    # Request an access token from the metadata server.
    r = requests.get(url, headers=METADATA_HEADERS)
    r.raise_for_status()

    # Extract the access token from the response.
    access_token = r.json()["access_token"]

    return access_token


def list_buckets(project_id: str, access_token: str) -> Dict:
    """List buckets in Cloud Storage"""
    url = "https://www.googleapis.com/storage/v1/b"
    params = {"project": project_id}
    headers = {"Authorization": f"Bearer {access_token}"}

    r = requests.get(url, params=params, headers=headers)
    r.raise_for_status()

    return r.json()


def main(project_id: str) -> None:
    access_token = get_access_token()
    buckets = list_buckets(project_id, access_token)
    print(buckets)


if __name__ == "__main__":
    parser = argparse.ArgumentParser(
        description=__doc__, formatter_class=argparse.RawDescriptionHelpFormatter
    )
    parser.add_argument("project_id", help="Your Google Cloud project ID.")

    args = parser.parse_args()

    main(args.project_id)

Access tokens expire after a short period of time. The metadata server caches access tokens until they have 5 minutes of remaining time before they expire. You can request new tokens as frequently as you like, but your applications must have a valid access token for their API calls to succeed.

Authenticating tools on an instance using a service account

Some applications might use commands from the gcloud and gsutil tools, which are included by default in most Compute Engine images. These tools automatically recognize an instance's service account and relevant permissions granted to the service account. Specifically, if you grant the correct roles to the service account, you can use the gcloud and gsutil tools from your instances without having to use gcloud auth login.

This service account recognition happens automatically and applies only to the gcloud and gsutil tools that are included with the instance. If you create new tools or add custom tools, you must authorize your application using a client library or by using access tokens directly in your application.

To take advantage of automatic service account recognition, grant the appropriate IAM roles to the service account and set up an instance to run as a service account. For example, if you grant a service account the roles/storage.objectAdmin role, the gsutil tool can automatically manage and access Cloud Storage objects.

Likewise, if you enable roles/compute.instanceAdmin.v1 for the service account, the gcloud compute tool can automatically manage instances.

Changing the service account and access scopes for an instance

If you want to run the VM as a different identity, or you determine that the instance needs a different set of scopes to call the required APIs, you can change the service account and the access scopes of an existing instance. For example, you can change access scopes to grant access to a new API, you can remove the service account and access scopes to prevent a VM from accessing any Google Cloud services, or you can change a VM so that it runs as a service account that you created instead of the Compute Engine default service account. However, Google recommends that you use fine-grained IAM policies instead of relying on access scopes to control resource access for the service account.

To change an instance's service account and access scopes, the instance must be temporarily stopped. To stop your instance, read the documentation for Stopping an instance. After changing the service account or access scopes, remember to restart the instance. Use one of the following methods to the change service account or access scopes of the stopped instance.

gcloud compute instances set-service-account [INSTANCE_NAME] \
   [--service-account [SERVICE_ACCOUNT_EMAIL] | --no-service-account] \
   [--no-scopes | --scopes [SCOPES,...]]

gcloud compute instances set-service-account example-instance \
   --service-account my-sa-123@my-project-123.iam.gserviceaccount.com \
   --scopes compute-rw,storage-ro

https://compute.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/[ZONE]/instances/[INSTANCE_NAME]/setServiceAccount

{
  "email": "[SERVICE_ACCOUNT_EMAIL]",
  "scopes": [
    "[SCOPE_URI]",
    "[SCOPE_URI]",
    ...
  ]
}

{
  "email": "my-sa-123@my-project-123.iam.gserviceaccount.com",
  "scopes": [
    "https://www.googleapis.com/auth/bigquery",
    "https://www.googleapis.com/auth/devstorage.read_only"
  ]
}

Obtaining a service account email

To identify a service account, you need the service account email. Obtain a service account email through one of the following options:

gcloud compute instances describe [INSTANCE_NAME] --format json

{
      ...
      "serviceAccounts":[
         {
            "email":"123845678986-compute@developer.gserviceaccount.com",
            "scopes":[
               "https://www.googleapis.com/auth/devstorage.full_control"
            ]
         }
      ]
      ...
   }

user@myinst:~$ curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/" \
-H "Metadata-Flavor: Google"

123845678986-compute@developer.gserviceaccount.com/
default/

Using the Compute Engine Default Service Account

If you are familiar with the Compute Engine default service account and want to use the credentials provided by the default service account instead of creating new service accounts, you can grant IAM roles to the default service account.

By default, all Compute Engine instances can run as the default service account. When you create an instance using the Google Cloud CLI or the Google Cloud console, and omit any service account specifications, the default service account is assigned to the instance.

Before you assign IAM roles to the default service account, note that:

• Granting an IAM role to the default service account affects all instances that are running as the default service account. For example, if you grant the default service account the roles/storage.objectAdmin role, all instances running as the default service account with the required access scopes will have permissions granted by the roles/storage.objectAdmin role. Likewise, if you limit access by omitting certain roles, it will affect all instances running as the default service account.

• You must revoke project editor permission for the service account. The default service account is added as a project editor to projects by default. To use IAM roles, you must revoke the project editor permission.

If you are unsure about granting IAM roles to the default service account, create a new service account instead.

Follow these instructions to grant an IAM role to the default service account:

1. In the Google Cloud console, go to the IAM page.

   Go to IAM

2. If prompted, select a project.

3. Look for the service account named Compute Engine Default Service Account.

4. In the Role(s) column, expand the drop down menu for the Compute Engine Default Service Account.

5. Remove Editor access and save your changes.

6. Next, grant IAM roles to the service account.

Any virtual machine instances that are currently running as the default service account will now have access to other Google Cloud APIs according to the IAM roles you granted to the account.

If you want to set up a new instance to run as the default service account, follow these instructions:

gcloud compute instances create [INSTANCE_NAME] \
     --scopes cloud-platform

POST https://compute.googleapis.com/compute/v1/projects/zones/[ZONE]/instances

{
  "machineType": "https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/[ZONE]/machineTypes/[MACHINE_TYPE]",
  "name": "[INSTANCE_NAME]",
  "serviceAccounts": [
   {
    "email": "[DEFAULT_SERVICE_ACCOUNT_EMAIL]",
    "scopes": ["https://www.googleapis.com/auth/cloud-platform"]
   }
  ],
  ...
}

Best practices

• Google recommends that each VM instance that needs to call a Google API should run as a service account with the minimum permissions necessary for that VM to do its job.

• Follow these instructions to configure service accounts for your VMs:

  1. Create a new service account rather than using the Compute Engine default service account.
  2. Grant IAM roles to that service account for only the resources that it needs.
  3. Configure the VM to run as the new service account you created.
  4. Grant your VM the https://www.googleapis.com/auth/cloud-platform scope to allow access to most of the Google Cloud APIs, so that the IAM permissions of the VM are completely determined by the IAM roles that you granted to the VM's service account. The service account can only execute API methods that are allowed by both the access scope and the service account's specific IAM roles.

• Limit the privileges of service accounts and regularly check your service account permissions to make sure they are up-to-date.

• Delete service accounts with caution. Make sure your critical applications are no longer using a service account before deleting it. If you're not sure whether a service account is being used, we recommend disabling the service account instead of deleting it. Disabled service accounts can be re-enabled if they are still needed.

• Mitigate the security risks for your service account. For more information, see Best practices for working with service accounts.

What's next

• Learn more about Service Accounts.
• Learn more about Compute Engine IAM Roles.
• Learn more about best practices for working with service accounts.