Service accounts can be divided into two categories: service accounts that you manage, and service accounts that Google manages. This page describes how each type of service account is created and used.
User-managed service accounts
User-managed service accounts are service accounts that you create in your projects. You can update, disable, enable, and delete these service accounts at your discretion. You can also manage other principals' access to these service accounts.
You can create user-managed service accounts in your project using the IAM API, the Google Cloud console, or the Google Cloud CLI.
By default, you can create up to 100 user-managed service accounts in a project. If this quota does not meet your needs, you can use the Google Cloud console to request a quota increase. Only user-created service accounts count towards this quota—default service accounts and Google-managed service accounts do not.
When you create a user-managed service account in your project, you choose a name for the service account. This name appears in the email address that identifies the service account, which uses the following format:
service-account-name@project-id.iam.gserviceaccount.com
To learn how to create a service account, see Create service accounts.
Default service accounts
Default service accounts are user-managed service accounts that are created automatically when you enable or use certain Google Cloud services. These service accounts let the service deploy jobs that access other Google Cloud resources. You are responsible for managing default service accounts after they are created.
If your application runs in a Google Cloud environment that has a default service account, your application can use the credentials for the default service account to call Google Cloud APIs. Alternatively, you can create your own user-managed service account and use it to authenticate. For details, see Finding credentials automatically.
The following table lists the services that create default service accounts:
| Service | Service account name | Email address |
|---|---|---|
| App Engine, and any Google Cloud service that uses App Engine | App Engine default service account | project-id@appspot.gserviceaccount.com |
| Compute Engine, and any Google Cloud service that uses Compute Engine | Compute Engine default service account |
project-number-compute@developer.gserviceaccount.com
|
Google-managed service accounts
Some Google Cloud services need access to your resources so that they can act on your behalf. For example, when you use Cloud Run to run a container, the service needs access to any Pub/Sub topics that can trigger the container.
To meet this need, Google creates and manages service accounts for many Google Cloud services. These service accounts are known as Google-managed service accounts. You might see Google-managed service accounts in your project's allow policy, in audit logs, or on the IAM page in the Google Cloud console.
Google-managed service accounts aren't created in your projects, so you won't see them when viewing your projects' service accounts.
For example:
Google APIs Service Agent. Your project's allow policy is likely to refer to a service account named the Google APIs Service Agent, with an email address that uses the following format:
project-number@cloudservices.gserviceaccount.comThis service account runs internal Google processes on your behalf. It is automatically granted the Editor role (
roles/editor) on the project.Other service agents. Your project's allow policy might refer to other Google-managed service accounts that act on behalf of individual services. These service accounts are called service agents. Roles might be automatically granted to these service agents; the names of these roles typically end in
serviceAgent.For a complete list of service agents and the roles that are automatically granted to each one, see Service agents.
Role manager for Google-managed service accounts. Your audit logs for IAM might refer to the service account
service-agent-manager@system.gserviceaccount.com.This service account manages the roles that are granted to other Google-managed service accounts. It is visible only in audit logs.
For example, if you use a new API, Google might automatically create a new Google-managed service account and grant roles to the service account on your project. Granting these roles generates an audit log entry, which shows that
service-agent-manager@system.gserviceaccount.comset the allow policy for the project.
Visibility
Google-managed service accounts aren't listed in the Service accounts page in the Google Cloud console. These service accounts aren't located in your project, and you can't access them directly.
By default, Google-managed service accounts also aren't listed in the IAM page in the Google Cloud console, even if they've been granted a role on your project. To view role grants for Google-managed service accounts, select the Include Google-provided role grants checkbox.
What's next
- Find out how to create and manage service accounts.
- Learn how to create and manage service account keys.
- Get best practices for working with service accounts.
- Review best practices for managing service account keys.
Try it for yourself
If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
Get started for free