Authentication determines a client's identity. Authorization determines what permissions an authenticated client has for a set of resources. That is, authentication verifies who you are, and authorization determines what you can do.
You can authenticate to a Google Cloud Platform (GCP) API using service accounts or user accounts, and for APIs that don't require authentication, you can use API keys.
A service account is a Google account that represents an application, as opposed to representing an end user.
You can use a service account by providing its private key to your application, or by using the built-in service accounts available when running on Google Cloud Functions, Google App Engine, Google Compute Engine, or Google Kubernetes Engine.
All GCP APIs support service accounts. For most server applications that need to communicate with GCP APIs, we recommend using service accounts, as they are the most widely-supported and flexible way to authenticate.
For more information, see getting started with authentication.
You can authenticate users directly to your application, when the application needs to access resources on behalf of an end user.
Example use cases include:
Your application needs to access Google BigQuery datasets that are in projects owned by users of your application.
Your application uses an API such as the Cloud Resource Manager API, which can create and manage projects owned by a specific user. The application would need to authenticate as a user to create projects on their behalf.
You plan to create development tools that create resources within projects.
For more information, see authenticating as an end user.
An API key is a simple encrypted string that identifies a Google project for quota and billing purposes. API keys can be used when calling Google APIs that don't require authentication, and when using Google Cloud Endpoints. For security reasons, we recommend using service accounts instead.
For more information, see using API keys.