Types of service accounts

Service accounts can be divided into two categories: service accounts that you manage, and service accounts that Google manages. This page describes how each type of service account is created and used.

User-managed service accounts

User-managed service accounts are service accounts that you create in your projects. You can update, disable, enable, and delete these service accounts at your discretion. You can also manage other principals' access to these service accounts.

You can create user-managed service accounts in your project using the IAM API, the Google Cloud console, or the Google Cloud CLI.

By default, you can create up to 100 user-managed service accounts in a project. If this quota does not meet your needs, you can use the Google Cloud console to request a quota increase. Only user-created service accounts count towards this quota—default service accounts and Google-managed service accounts do not.

When you create a user-managed service account in your project, you choose a name for the service account. This name appears in the email address that identifies the service account, which uses the following format:

service-account-name@project-id.iam.gserviceaccount.com

To learn how to create a service account, see Create service accounts.

Default service accounts

Default service accounts are user-managed service accounts that are created automatically when you enable or use certain Google Cloud services. These service accounts let the service deploy jobs that access other Google Cloud resources. You are responsible for managing default service accounts after they are created.

If your application runs in a Google Cloud environment that has a default service account, your application can use the credentials for the default service account to call Google Cloud APIs. Alternatively, you can create your own user-managed service account and use it to authenticate. For details, see Finding credentials automatically.

The following table lists the services that create default service accounts:

Google-managed service accounts

Some Google Cloud services need access to your resources so that they can act on your behalf. For example, when you use Cloud Run to run a container, the service needs access to any Pub/Sub topics that can trigger the container.

To meet this need, Google creates and manages service accounts for many Google Cloud services. These service accounts are known as Google-managed service accounts. You might see Google-managed service accounts in your project's allow policy, in audit logs, or on the IAM page in the Google Cloud console.

Google-managed service accounts aren't created in your projects, so you won't see them when viewing your projects' service accounts.

Google has the following types of Google-managed service accounts:

• Service-specific service agents
• Google APIs Service Agent
• Role manager for Google-managed service accounts

Visibility

Google-managed service accounts aren't listed in the Service accounts page in the Google Cloud console. These service accounts aren't located in your project, and you can't access them directly.

By default, Google-managed service accounts also aren't listed in the IAM page in the Google Cloud console, even if they've been granted a role on your project. To view role grants for Google-managed service accounts, select the Include Google-provided role grants checkbox.

Service-specific service agents

Service agents are Google-managed service accounts that act on behalf of individual services. In many cases, these service agents are required for services to function properly. For example, service agents are what allow Cloud Logging sinks to write logs to Cloud Storage buckets.

Each service agent is associated with a resource. This resource is typically a project, folder, or organization, though it can also be a service-specific resource—for example, a Cloud SQL instance. This resource defines the scope of the service agent's actions. For example, if a service agent is associated with a project, it will act on behalf of a service for the project and its descendant resources.

You can determine which type of resource a service agent is associated with by looking at its email address:

• If the service agent is associated with a project, folder, or organization, its email address contains the numeric ID for that project, folder, or organization.
• If the service agent is associated with a service-specific resource, its email address contains a numeric project ID and a unique identifier. The numeric project ID indicates which project owns the resource that the service agent is associated with. The unique identifier distinguishes the service agent from other similar service agents in the same project.

Service agent creation

The exact time that a service agent is created depends on what type of resource it's associated with.

Service agents that are associated with a service-specific resource are created when you create the resource. For more information on how to identify and configure these service agents, review the documentation for the associated resource.

Service agents that are associated with projects, folders, and organizations are created as you need them, usually when you first use a service. If necessary, you can also ask Google Cloud to create service agents for a service before you use the service. For more information, see Create and grant roles to service agents.

Service agent roles

Some actions in Google Cloud require service agents to create and access resources on your behalf. For example, when you create a Dataproc cluster, the Dataproc service agent needs permission to create Compute Engine instances in your project in order to create the cluster.

In order get this access, service agents need specific IAM roles. Many project-level service agents are automatically granted the roles that they need. The names of these automatically granted roles typically end in serviceAgent or ServiceAgent. For other service agents, you need to grant them roles so that the service works correctly. To find out which service agents are granted roles automatically, see the service agent reference.

If you ask Google Cloud to create service agents before you use a service, you must grant the service agents the roles that they are typically granted automatically. This is because service agents that are created at a user's request aren't automatically granted roles. If you don't grant the service agents these roles, some services might not function properly. To learn how to grant these roles to service agents, see Create and grant roles to service agents.

Primary service agents

In the service agent reference, some service agents are identified as primary service agents. Primary service agents are service agents whose email address is returned when you trigger service agent creation for a service.

Google APIs Service Agent

Your project's allow policy is likely to refer to a service account named the Google APIs Service Agent, with an email address that uses the following format: project-number@cloudservices.gserviceaccount.com

This service account runs internal Google processes on your behalf. It is automatically granted the Editor role (roles/editor) on the project.

Role manager for Google-managed service accounts

Your audit logs for IAM might refer to the service account service-agent-manager@system.gserviceaccount.com.

This service account manages the roles that are granted to service agents. It is visible only in audit logs.

For example, if you use a new API, Google might automatically create a new service agent and grant it roles on your project. Granting these roles generates an audit log entry, which shows that service-agent-manager@system.gserviceaccount.com set the allow policy for the project.

What's next

• Find out how to create and manage service accounts.
• Learn how to create and manage service account keys.
• Get best practices for working with service accounts.
• Review best practices for managing service account keys.