Some Google Cloud services have Google-managed service accounts that allow the services to access your resources. These service accounts are sometimes known as service agents. You might see evidence of these service agents in several different places, including a project's Identity and Access Management (IAM) policy and audit log entries for various services.
This page provides details about the service agents for all services that are publicly available, including the following:
- The domain name used in the service agent's email address.
The role that the service agent is granted on the project.
After you activate an API that uses the service agent, Google grants the role automatically.
Google can introduce new service agents at any time, both for existing services and for new services. In addition, the format of each service agent's email address is subject to change.
| Display name | Domain | Role |
|---|---|---|
| AI Platform Custom Code Service Agent |
gcp-sa-aiplatform-cc.iam.gserviceaccount.com
|
Vertex AI Custom Code Service Agent ( roles/aiplatform.customCodeServiceAgent)
|
| AI Platform Service Agent |
gcp-sa-aiplatform.iam.gserviceaccount.com
|
Vertex AI Service Agent ( roles/aiplatform.serviceAgent)
|
| ASM Mesh Control Plane Service Account |
gcp-sa-meshcontrolplane.iam.gserviceaccount.com
|
None |
| ASM Mesh Data Plane Service Account |
gcp-sa-meshdataplane.iam.gserviceaccount.com
|
Mesh Data Plane Service Agent ( roles/meshdataplane.serviceAgent)
|
| Anthos Audit Service Account |
gcp-sa-anthosaudit.iam.gserviceaccount.com
|
Anthos Audit Service Agent ( roles/anthosaudit.serviceAgent)
|
| Anthos Config Management Service Account |
gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
|
Anthos Config Management Service Agent ( roles/anthosconfigmanagement.serviceAgent)
|
| Anthos Identity Service Account |
gcp-sa-anthosidentityservice.iam.gserviceaccount.com
|
Anthos Identity Service Agent ( roles/anthosidentityservice.serviceAgent)
|
| Anthos Service Account |
gcp-sa-anthos.iam.gserviceaccount.com
|
Anthos Service Agent ( roles/anthos.serviceAgent)
|
| Anthos Service Mesh Service Account |
gcp-sa-servicemesh.iam.gserviceaccount.com
|
Anthos Service Mesh Service Agent ( roles/anthosservicemesh.serviceAgent)
|
| Anthos Support Service Account |
gcp-sa-anthossupport.iam.gserviceaccount.com
|
None |
| Apigee Service Agent |
gcp-sa-apigee.iam.gserviceaccount.com
|
Apigee Service Agent ( roles/apigee.serviceAgent)
|
| App Development Experience Service Account |
gcp-sa-appdevexperience.iam.gserviceaccount.com
|
App Development Experience Service Agent ( roles/appdevelopmentexperience.serviceAgent)
|
| App Engine Flexible Environment Service Agent |
gae-api-prod.google.com.iam.gserviceaccount.com
|
App Engine flexible environment Service Agent ( roles/appengineflex.serviceAgent)
|
| App Engine Standard Environment Service Agent |
gcp-gae-service.iam.gserviceaccount.com
|
None |
| Artifact Registry Service Agent |
gcp-sa-artifactregistry.iam.gserviceaccount.com
|
Artifact Registry Service Agent ( roles/artifactregistry.serviceAgent)
|
| AssuredWorkloads Service Account |
gcp-sa-assuredworkloads.iam.gserviceaccount.com
|
Assured Workloads Service Agent ( roles/assuredworkloads.serviceAgent)
|
| AutoML Recommendations Service Account |
gcp-sa-recommendationengine.iam.gserviceaccount.com
|
Recommendations AI Service Agent ( roles/automlrecommendations.serviceAgent)
|
| AutoML Service Agent |
gcp-sa-automl.iam.gserviceaccount.com
|
AutoML Service Agent ( roles/automl.serviceAgent)
|
| BigQuery Connection Service Agent |
gcp-sa-bigqueryconnection.iam.gserviceaccount.com
|
BigQuery Connection Service Agent ( roles/bigqueryconnection.serviceAgent)
|
| BigQuery Data Transfer Service Agent |
gcp-sa-bigquerydatatransfer.iam.gserviceaccount.com
|
BigQuery Data Transfer Service Agent ( roles/bigquerydatatransfer.serviceAgent)
|
| BigQuery Omni Service Agent |
gcp-sa-prod-bigqueryomni.iam.gserviceaccount.com
|
None |
| Binary Authorization Service Agent |
gcp-sa-binaryauthorization.iam.gserviceaccount.com
|
Binary Authorization Service Agent ( roles/binaryauthorization.serviceAgent)
|
| Cloud AI Platform Notebooks Service Account |
gcp-sa-notebooks.iam.gserviceaccount.com
|
AI Platform Notebooks Service Agent ( roles/notebooks.serviceAgent)
|
| Cloud API Gateway Management Plane Service Account |
gcp-sa-apigateway-mgmt.iam.gserviceaccount.com
|
Cloud API Gateway Management Service Agent ( roles/apigateway_management.serviceAgent)
|
| Cloud API Gateway Service Account |
gcp-sa-apigateway.iam.gserviceaccount.com
|
Cloud API Gateway Service Agent ( roles/apigateway.serviceAgent)
|
| Cloud Asset Service Agent |
gcp-sa-cloudasset.iam.gserviceaccount.com
|
Cloud Asset Service Agent ( roles/cloudasset.serviceAgent)
|
| Cloud Bigtable Service Agent |
gcp-sa-bigtable.iam.gserviceaccount.com
|
None |
| Cloud Build Service Agent |
cloudbuild.gserviceaccount.com
|
Cloud Build Service Account ( roles/cloudbuild.builds.builder)
|
| Cloud Build Service Agent |
gcp-sa-cloudbuild.iam.gserviceaccount.com
|
Cloud Build Service Agent ( roles/cloudbuild.serviceAgent)
|
| Cloud Composer Service Agent |
cloudcomposer-accounts.iam.gserviceaccount.com
|
Cloud Composer API Service Agent ( roles/composer.serviceAgent)
|
| Cloud Data Fusion Service Account |
gcp-sa-datafusion.iam.gserviceaccount.com
|
Cloud Data Fusion API Service Agent ( roles/datafusion.serviceAgent)
|
| Cloud Data Loss Prevention Service Agent |
dlp-api.iam.gserviceaccount.com
|
DLP API Service Agent ( roles/dlp.serviceAgent)
|
| Cloud DataStream Service Account |
gcp-sa-datastream.iam.gserviceaccount.com
|
None |
| Cloud Database Migration Service Account |
gcp-sa-datamigration.iam.gserviceaccount.com
|
None |
| Cloud Dataflow Service Account |
dataflow-service-producer-prod.iam.gserviceaccount.com
|
Cloud Dataflow Service Agent ( roles/dataflow.serviceAgent)
|
| Cloud Endpoints Service Agent |
gcp-sa-endpoints.iam.gserviceaccount.com
|
Cloud Endpoints Service Agent ( roles/endpoints.serviceAgent)
|
| Cloud File Storage Service Account |
cloud-filer.iam.gserviceaccount.com
|
Cloud Filestore Service Agent ( roles/file.serviceAgent)
|
| Cloud Firestore Service Agent |
gcp-sa-firestore.iam.gserviceaccount.com
|
Firestore Service Agent ( roles/firestore.serviceAgent)
|
| Cloud Firestore Service Agent |
gcp-sa-firestore.iam.gserviceaccount.com
|
Firestore Service Agent ( roles/firestore.serviceAgent)
|
| Cloud Healthcare Service Agent |
gcp-sa-healthcare.iam.gserviceaccount.com
|
Healthcare Service Agent ( roles/healthcare.serviceAgent)
|
| Cloud IDS Service Account |
gcp-sa-cloud-ids.iam.gserviceaccount.com
|
None |
| Cloud IoT Core Service Agent |
gcp-sa-cloudiot.iam.gserviceaccount.com
|
Cloud IoT Core Service Agent ( roles/cloudiot.serviceAgent)
|
| Cloud KMS Service Agent |
gcp-sa-cloudkms.iam.gserviceaccount.com
|
Cloud KMS Service Agent ( roles/cloudkms.serviceAgent)
|
| Cloud Life Sciences Service Agent |
gcp-sa-lifesciences.iam.gserviceaccount.com
|
Cloud Life Sciences Service Agent ( roles/lifesciences.serviceAgent)
|
| Cloud Logging Service Account |
gcp-sa-logging.iam.gserviceaccount.com
|
Cloud Logging Service Agent ( roles/logging.serviceAgent)
|
| Cloud Managed Identities Service Agent |
gcp-sa-mi.iam.gserviceaccount.com
|
Cloud Managed Identities Service Agent ( roles/managedidentities.serviceAgent)
|
| Cloud Memorystore Memcache Service Agent |
cloud-memcache-sa.iam.gserviceaccount.com
|
Cloud Memorystore Memcached Service Agent ( roles/memcache.serviceAgent)
|
| Cloud Memorystore Redis Service Agent |
cloud-redis.iam.gserviceaccount.com
|
Cloud Memorystore Redis Service Agent ( roles/redis.serviceAgent)
|
| Cloud Network Management Service Account |
gcp-sa-networkmanagement.iam.gserviceaccount.com
|
GCP Network Management Service Agent ( roles/networkmanagement.serviceAgent)
|
| Cloud Pub/Sub Service Account |
gcp-sa-pubsub.iam.gserviceaccount.com
|
Cloud Pub/Sub Service Agent ( roles/pubsub.serviceAgent)
|
| Cloud SQL Service Account |
gcp-sa-cloud-sql.iam.gserviceaccount.com
|
Cloud SQL Service Agent ( roles/cloudsql.serviceAgent)
|
| Cloud Scheduler Service Account |
gcp-sa-cloudscheduler.iam.gserviceaccount.com
|
Cloud Scheduler Service Agent ( roles/cloudscheduler.serviceAgent)
|
| Cloud Security Command Center Notification Service Account |
gcp-sa-scc-notification.iam.gserviceaccount.com
|
Security Center Notification Service Agent ( roles/securitycenter.notificationServiceAgent)
|
| Cloud Source Repositories Service Agent |
sourcerepo-service-accounts.iam.gserviceaccount.com
|
Cloud Source Repositories Service Agent ( roles/sourcerepo.serviceAgent)
|
| Cloud Spanner Production Service Account |
gcp-sa-spanner.iam.gserviceaccount.com
|
None |
| Cloud Storage for Firebase Service Agent |
gcp-sa-firebasestorage.iam.gserviceaccount.com
|
Cloud Storage for Firebase Service Agent ( roles/firebasestorage.serviceAgent)
|
| Cloud Tasks Service Account |
gcp-sa-cloudtasks.iam.gserviceaccount.com
|
Cloud Tasks Service Agent ( roles/cloudtasks.serviceAgent)
|
| Cloud Trace Service Account |
gcp-sa-cloud-trace.iam.gserviceaccount.com
|
None |
| Cloud Translation Service Agent |
gcp-sa-translation.iam.gserviceaccount.com
|
Cloud Translation API Service Agent ( roles/cloudtranslate.serviceAgent)
|
| Cloud VM Migration Service Account |
gcp-sa-vmmigration.iam.gserviceaccount.com
|
None |
| Cloud Web Security Scanner Service Agent |
gcp-sa-websecurityscanner.iam.gserviceaccount.com
|
Cloud Web Security Scanner Service Agent ( roles/websecurityscanner.serviceAgent)
|
| Cloud Workflows Service Agent |
gcp-sa-workflows.iam.gserviceaccount.com
|
Cloud Workflows Service Agent ( roles/workflows.serviceAgent)
|
| Compute Engine Service Agent |
compute-system.iam.gserviceaccount.com
|
Compute Engine Service Agent ( roles/compute.serviceAgent)
|
| Contact Center AI Insights Service Account |
gcp-sa-contactcenterinsights.iam.gserviceaccount.com
|
Contact Center AI Insights Service Agent ( roles/contactcenterinsights.serviceAgent)
|
| Container Analysis Service Agent |
container-analysis.iam.gserviceaccount.com
|
Container Analysis Service Agent ( roles/containeranalysis.ServiceAgent)
|
| Container Scanning Service Agent |
gcp-sa-containerscanning.iam.gserviceaccount.com
|
Container Scanner Service Agent ( roles/containerscanning.ServiceAgent)
|
| Container Threat Detection Service Agent |
gcp-sa-ktd-control.iam.gserviceaccount.com
|
Container Threat Detection Service Agent ( roles/containerthreatdetection.serviceAgent)
|
| Data Labeling Service Account |
gcp-sa-datalabeling.iam.gserviceaccount.com
|
Data Labeling Service Agent ( roles/datalabeling.serviceAgent)
|
| Data Pipelines Service Agent |
gcp-sa-datapipelines.iam.gserviceaccount.com
|
Datapipelines Service Agent ( roles/datapipelines.serviceAgent)
|
| Data Studio Service Account |
gcp-sa-datastudio.iam.gserviceaccount.com
|
Data Studio Service Agent ( roles/datastudio.serviceAgent)
|
| Dataproc Metastore Service Account |
gcp-sa-metastore.iam.gserviceaccount.com
|
Dataproc Metastore Service Agent ( roles/metastore.serviceAgent)
|
| Dialogflow Service Agent |
gcp-sa-dialogflow.iam.gserviceaccount.com
|
Dialogflow Service Agent ( roles/dialogflow.serviceAgent)
|
| DocumentAI Core Service Agent |
gcp-sa-prod-dai-core.iam.gserviceaccount.com
|
DocumentAI Core Service Agent ( roles/documentaicore.serviceAgent)
|
| Endpoints Consumer Portal Service Agent |
endpoints-portal.iam.gserviceaccount.com
|
Endpoints Portal Service Agent ( roles/endpointsportal.serviceAgent)
|
| Eventarc Service Agent |
gcp-sa-eventarc.iam.gserviceaccount.com
|
Eventarc Service Agent ( roles/eventarc.serviceAgent)
|
| External Key Management Service Service Account |
gcp-sa-ekms.iam.gserviceaccount.com
|
None |
| Firebase Extensions Service Agent |
gcp-sa-firebasemods.iam.gserviceaccount.com
|
Firebase Extensions API Service Agent ( roles/firebasemods.serviceAgent)
|
| Firebase Rules Service Agent |
firebase-rules.iam.gserviceaccount.com
|
None |
| Firewall Insights Service Account |
gcp-sa-firewallinsights.iam.gserviceaccount.com
|
Cloud Firewall Insights Service Agent ( roles/firewallinsights.serviceAgent)
|
| G Suite Add-ons Service Account |
gcp-sa-gsuiteaddons.iam.gserviceaccount.com
|
None |
| GKE Hub API Service Account |
gcp-sa-gkehub.iam.gserviceaccount.com
|
GKE Hub Service Agent ( roles/gkehub.serviceAgent)
|
| Game Services Agent |
gcp-sa-gameservices.iam.gserviceaccount.com
|
Game Services Service Agent ( roles/gameservices.serviceAgent)
|
| Google Cloud Dataproc Service Agent |
dataproc-accounts.iam.gserviceaccount.com
|
Dataproc Service Agent ( roles/dataproc.serviceAgent)
|
| Google Cloud Functions Service Agent |
gcf-admin-robot.iam.gserviceaccount.com
|
Cloud Functions Service Agent ( roles/cloudfunctions.serviceAgent)
|
| Google Cloud ML Engine Service Agent |
cloud-ml.google.com.iam.gserviceaccount.com
|
AI Platform Service Agent ( roles/ml.serviceAgent)
|
| Google Cloud OS Config Service Agent |
gcp-sa-osconfig.iam.gserviceaccount.com
|
Cloud OS Config Service Agent ( roles/osconfig.serviceAgent)
|
| Google Cloud Run Service Agent |
serverless-robot-prod.iam.gserviceaccount.com
|
Cloud Run Service Agent ( roles/run.serviceAgent)
|
| Google Container Registry Service Agent |
containerregistry.iam.gserviceaccount.com
|
Container Registry Service Agent ( roles/containerregistry.ServiceAgent)
|
| Google Genomics Service Agent |
genomics-api.google.com.iam.gserviceaccount.com
|
Genomics Service Agent ( roles/genomics.serviceAgent)
|
| KRM API Hosting Service Account |
gcp-sa-krmapihosting.iam.gserviceaccount.com
|
None |
| KRM API Hosting Service Account |
gcp-sa-krmapihosting-dataplane.iam.gserviceaccount.com
|
None |
| Kubernetes Engine Service Agent |
container-engine-robot.iam.gserviceaccount.com
|
Kubernetes Engine Service Agent ( roles/container.serviceAgent)
|
| Mesh Config Service Account |
gcp-sa-meshconfig.iam.gserviceaccount.com
|
Mesh Config Service Agent ( roles/meshconfig.serviceAgent)
|
| Monitoring Notification Service Account |
gcp-sa-monitoring-notification.iam.gserviceaccount.com
|
Monitoring Notification Service Agent ( roles/monitoring.notificationServiceAgent)
|
| Monitoring Service Account |
gcp-sa-monitoring.iam.gserviceaccount.com
|
None |
| Multi Cluster Ingress Service Account |
gcp-sa-multiclusteringress.iam.gserviceaccount.com
|
Multi Cluster Ingress Service Agent ( roles/multiclusteringress.serviceAgent)
|
| Multi cluster metering Service Account |
gcp-sa-mcmetering.iam.gserviceaccount.com
|
Multi-cluster metering Service Agent ( roles/multiclustermetering.serviceAgent)
|
| Multi-cluster Service Discovery Service Account |
gcp-sa-mcsd.iam.gserviceaccount.com
|
None |
| Network Connectivity Service Account |
gcp-sa-networkconnectivity.iam.gserviceaccount.com
|
None |
| On-Demand Scanning Service Account |
gcp-sa-ondemandscanning.iam.gserviceaccount.com
|
None |
| Private CA Service Account |
gcp-sa-privateca.iam.gserviceaccount.com
|
None |
| Remote Build Execution Service Agent |
gcp-sa-rbe.iam.gserviceaccount.com
|
None |
| Remote Build Execution Service Agent |
remotebuildexecution.iam.gserviceaccount.com
|
Remote Build Execution Service Agent ( roles/remotebuildexecution.serviceAgent)
|
| Retail Service Account |
gcp-sa-retail.iam.gserviceaccount.com
|
Retail Service Agent ( roles/retail.serviceAgent)
|
| Secret Manager Service Account |
gcp-sa-secretmanager.iam.gserviceaccount.com
|
None |
| Secured Landing Zone Service Account |
gcp-sa-slz.iam.gserviceaccount.com
|
Secured Landing Zone Service Agent ( roles/securedlandingzone.serviceAgent)
|
| Serverless VPC Access Service Agent |
gcp-sa-vpcaccess.iam.gserviceaccount.com
|
Serverless VPC Access Service Agent ( roles/vpcaccess.serviceAgent)
|
| Service Consumer Management Service Agent |
service-consumer-management.iam.gserviceaccount.com
|
None |
| Service Directory Service Account |
gcp-sa-servicedirectory.iam.gserviceaccount.com
|
Service Directory Service Agent ( roles/servicedirectory.serviceAgent)
|
| Service Networking Service Agent |
service-networking.iam.gserviceaccount.com
|
Service Networking Service Agent ( roles/servicenetworking.serviceAgent)
|
| TPU Service Agent |
cloud-tpu.iam.gserviceaccount.com
|
Cloud TPU API Service Agent ( roles/tpu.serviceAgent)
|
| TPU Service Agent (v2) |
gcp-sa-tpu.iam.gserviceaccount.com
|
Cloud TPU V2 API Service Agent ( roles/cloudtpu.serviceAgent)
|
| Transcoder Service Account |
gcp-sa-transcoder.iam.gserviceaccount.com
|
Transcoder Service Agent ( roles/transcoder.serviceAgent)
|
| VMwareEngine Service Account |
gcp-sa-vmwareengine.iam.gserviceaccount.com
|
None |
| Virtual Machine Threat Detection Service Account |
gcp-sa-scc-vmtd.iam.gserviceaccount.com
|
None |