Authentication refers to the process of determining a client's identity. Authorization refers to the process of determining what permissions an authenticated client has for a set of resources. That is, authentication identifies who you are, and authorization determines what you can do.
You can authenticate to a Google Cloud Platform (GCP) API using service accounts or user accounts, and for APIs that don't require authentication, you can use API keys.
A service account is a Google account that is associated with your GCP project, as opposed to a specific user.
You can use a service account by providing a service account key to your application, or by using the built-in service accounts available when running on Google Cloud Functions, Google App Engine, Google Compute Engine, or Google Container Engine.
Different GCP APIs support different credential types, but all GCP APIs support service accounts. For most applications that run on a server and need to communicate with GCP APIs, we recommend using service accounts, as they are the most widely-supported and flexible way to authenticate.
For more information, see getting started with authentication.
You can authenticate users directly to your application, when the application needs to access resources on behalf of an end user.
Example use cases include:
Your application needs to access Google BigQuery datasets that are in projects owned by users of your application.
Your application uses an API such as the Cloud Resource Manager API, which can create and manage projects owned by a specific user. The application would need to authenticate as a user to create projects on their behalf.
You plan to create development tools that create resources within projects.
For more information, see authenticating as an end user.
An API key is a simple encrypted string that identifies a project for quota and billing purposes. API keys can be used when calling APIs that don't need to access private user data, and when using Google Cloud Endpoints. For security reasons, we recommend using service accounts for calling GCP APIs.
For more information, see using API keys.