Some Google Cloud services have Google-managed service accounts that allow the services to access your resources. These service accounts are known as service agents. You might see evidence of these service agents in several different places, including a project's allow policy and audit log entries for various services.
This page provides details about the service agents for all services that are publicly available, including the following:
- The domain name used in the service agent's email address.
The role that the service agent is granted on the project.
After you activate an API that uses the service agent, Google grants the role automatically.
Google can introduce new service agents at any time, both for existing services and for new services. In addition, the format of each service agent's email address is subject to change.
| Display name | Domain | Role |
|---|---|---|
| AI Platform Custom Code Service Agent |
gcp-sa-aiplatform-cc.iam.gserviceaccount.com
|
Vertex AI Custom Code Service Agent ( roles/aiplatform.customCodeServiceAgent)
|
| AI Platform Service Agent |
gcp-sa-aiplatform.iam.gserviceaccount.com
|
Vertex AI Service Agent ( roles/aiplatform.serviceAgent)
|
| ASM Mesh Control Plane Service Account |
gcp-sa-meshcontrolplane.iam.gserviceaccount.com
|
Mesh Managed Control Plane Service Agent ( roles/meshcontrolplane.serviceAgent)
|
| ASM Mesh Data Plane Service Account |
gcp-sa-meshdataplane.iam.gserviceaccount.com
|
Mesh Data Plane Service Agent ( roles/meshdataplane.serviceAgent)
|
| Access Approval Service Agent |
gcp-sa-accessapproval.iam.gserviceaccount.com
|
None |
| AlloyDB Service Account |
gcp-sa-alloydb.iam.gserviceaccount.com
|
AlloyDB Service Agent ( roles/alloydb.serviceAgent)
|
| Anthos Audit Service Account |
gcp-sa-anthosaudit.iam.gserviceaccount.com
|
Anthos Audit Service Agent ( roles/anthosaudit.serviceAgent)
|
| Anthos Config Management Service Account |
gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
|
Anthos Config Management Service Agent ( roles/anthosconfigmanagement.serviceAgent)
|
| Anthos Identity Service Account |
gcp-sa-anthosidentityservice.iam.gserviceaccount.com
|
Anthos Identity Service Agent ( roles/anthosidentityservice.serviceAgent)
|
| Anthos Multi-Cloud Service Agent |
gcp-sa-gkemulticloud.iam.gserviceaccount.com
|
Anthos Multi-Cloud Service Agent ( roles/gkemulticloud.serviceAgent)
|
| Anthos Service Account |
gcp-sa-anthos.iam.gserviceaccount.com
|
Anthos Service Agent ( roles/anthos.serviceAgent)
|
| Anthos Service Mesh Service Account |
gcp-sa-servicemesh.iam.gserviceaccount.com
|
Anthos Service Mesh Service Agent ( roles/anthosservicemesh.serviceAgent)
|
| Anthos Support Service Account |
gcp-sa-anthossupport.iam.gserviceaccount.com
|
Anthos Support Service Agent ( roles/anthossupport.serviceAgent)
|
| Apigee Registry Service Account |
gcp-sa-apigeeregistry.iam.gserviceaccount.com
|
None |
| Apigee Service Agent |
gcp-sa-apigee.iam.gserviceaccount.com
|
Apigee Service Agent ( roles/apigee.serviceAgent)
|
| App Development Experience Service Account |
gcp-sa-appdevexperience.iam.gserviceaccount.com
|
App Development Experience Service Agent ( roles/appdevelopmentexperience.serviceAgent)
|
| App Engine Flexible Environment Service Agent |
gae-api-prod.google.com.iam.gserviceaccount.com
|
App Engine flexible environment Service Agent ( roles/appengineflex.serviceAgent)
|
| App Engine Standard Environment Service Agent |
gcp-gae-service.iam.gserviceaccount.com
|
None |
| Artifact Registry Service Agent |
gcp-sa-artifactregistry.iam.gserviceaccount.com
|
Artifact Registry Service Agent ( roles/artifactregistry.serviceAgent)
|
| AssuredWorkloads Service Account |
gcp-sa-assuredworkloads.iam.gserviceaccount.com
|
Assured Workloads Service Agent ( roles/assuredworkloads.serviceAgent)
|
| AutoML Recommendations Service Account |
gcp-sa-recommendationengine.iam.gserviceaccount.com
|
Recommendations AI Service Agent ( roles/automlrecommendations.serviceAgent)
|
| AutoML Service Agent |
gcp-sa-automl.iam.gserviceaccount.com
|
AutoML Service Agent ( roles/automl.serviceAgent)
|
| Backup for GKE Service Account |
gcp-sa-gkebackup.iam.gserviceaccount.com
|
Backup for GKE Service Agent ( roles/gkebackup.serviceAgent)
|
| Big Query Service Agent |
bigquery-encryption.iam.gserviceaccount.com
|
None |
| BigQuery Connection Service Agent |
gcp-sa-bigqueryconnection.iam.gserviceaccount.com
|
BigQuery Connection Service Agent ( roles/bigqueryconnection.serviceAgent)
|
| BigQuery Data Transfer Service Agent |
gcp-sa-bigquerydatatransfer.iam.gserviceaccount.com
|
BigQuery Data Transfer Service Agent ( roles/bigquerydatatransfer.serviceAgent)
|
| BigQuery Omni Service Agent |
gcp-sa-prod-bigqueryomni.iam.gserviceaccount.com
|
None |
| Binary Authorization Service Agent |
gcp-sa-binaryauthorization.iam.gserviceaccount.com
|
Binary Authorization Service Agent ( roles/binaryauthorization.serviceAgent)
|
| Bundles Service Agent |
gcp-sa-bundles.iam.gserviceaccount.com
|
None |
| Cloud AI Platform Notebooks Service Account |
gcp-sa-notebooks.iam.gserviceaccount.com
|
AI Platform Notebooks Service Agent ( roles/notebooks.serviceAgent)
|
| Cloud API Gateway Management Plane Service Account |
gcp-sa-apigateway-mgmt.iam.gserviceaccount.com
|
Cloud API Gateway Management Service Agent ( roles/apigateway_management.serviceAgent)
|
| Cloud API Gateway Service Account |
gcp-sa-apigateway.iam.gserviceaccount.com
|
Cloud API Gateway Service Agent ( roles/apigateway.serviceAgent)
|
| Cloud Asset Service Agent |
gcp-sa-cloudasset.iam.gserviceaccount.com
|
Cloud Asset Service Agent ( roles/cloudasset.serviceAgent)
|
| Cloud Bigtable Service Agent |
gcp-sa-bigtable.iam.gserviceaccount.com
|
None |
| Cloud Build Service Agent |
cloudbuild.gserviceaccount.com
|
Cloud Build Service Account ( roles/cloudbuild.builds.builder)
|
| Cloud Build Service Agent |
gcp-sa-cloudbuild.iam.gserviceaccount.com
|
Cloud Build Service Agent ( roles/cloudbuild.serviceAgent)
|
| Cloud Certificate Manager Service Account |
gcp-sa-certificatemanager.iam.gserviceaccount.com
|
None |
| Cloud Composer Service Agent |
cloudcomposer-accounts.iam.gserviceaccount.com
|
Cloud Composer API Service Agent ( roles/composer.serviceAgent)
|
| Cloud Config Manager Service Account |
gcp-sa-config.iam.gserviceaccount.com
|
None |
| Cloud Data Fusion Service Account |
gcp-sa-datafusion.iam.gserviceaccount.com
|
Cloud Data Fusion API Service Agent ( roles/datafusion.serviceAgent)
|
| Cloud Data Loss Prevention Service Agent |
dlp-api.iam.gserviceaccount.com
|
DLP API Service Agent ( roles/dlp.serviceAgent)
|
| Cloud DataStream Service Account |
gcp-sa-datastream.iam.gserviceaccount.com
|
None |
| Cloud Database Migration Service Account |
gcp-sa-datamigration.iam.gserviceaccount.com
|
None |
| Cloud Dataflow Service Account |
dataflow-service-producer-prod.iam.gserviceaccount.com
|
Cloud Dataflow Service Agent ( roles/dataflow.serviceAgent)
|
| Cloud Dataplex Service Account |
gcp-sa-dataplex.iam.gserviceaccount.com
|
Cloud Dataplex Service Agent ( roles/dataplex.serviceAgent)
|
| Cloud Deploy Service Account |
gcp-sa-clouddeploy.iam.gserviceaccount.com
|
Cloud Deploy Service Agent ( roles/clouddeploy.serviceAgent)
|
| Cloud Endpoints Service Agent |
gcp-sa-endpoints.iam.gserviceaccount.com
|
Cloud Endpoints Service Agent ( roles/endpoints.serviceAgent)
|
| Cloud File Storage Service Account |
cloud-filer.iam.gserviceaccount.com
|
Cloud Filestore Service Agent ( roles/file.serviceAgent)
|
| Cloud Firestore Service Agent |
gcp-sa-firestore.iam.gserviceaccount.com
|
Firestore Service Agent ( roles/firestore.serviceAgent)
|
| Cloud Healthcare Service Agent |
gcp-sa-healthcare.iam.gserviceaccount.com
|
Healthcare Service Agent ( roles/healthcare.serviceAgent)
|
| Cloud IDS Service Account |
gcp-sa-cloud-ids.iam.gserviceaccount.com
|
None |
| Cloud IoT Core Service Agent |
gcp-sa-cloudiot.iam.gserviceaccount.com
|
Cloud IoT Core Service Agent ( roles/cloudiot.serviceAgent)
|
| Cloud KMS Service Agent |
gcp-sa-cloudkms.iam.gserviceaccount.com
|
Cloud KMS Service Agent ( roles/cloudkms.serviceAgent)
|
| Cloud Life Sciences Service Agent |
gcp-sa-lifesciences.iam.gserviceaccount.com
|
Cloud Life Sciences Service Agent ( roles/lifesciences.serviceAgent)
|
| Cloud Logging Service Account |
gcp-sa-logging.iam.gserviceaccount.com
|
Cloud Logging Service Agent ( roles/logging.serviceAgent)
|
| Cloud Managed Identities Service Agent |
gcp-sa-mi.iam.gserviceaccount.com
|
Cloud Managed Identities Service Agent ( roles/managedidentities.serviceAgent)
|
| Cloud Memorystore Memcache Service Agent |
cloud-memcache-sa.iam.gserviceaccount.com
|
Cloud Memorystore Memcached Service Agent ( roles/memcache.serviceAgent)
|
| Cloud Memorystore Redis Service Agent |
cloud-redis.iam.gserviceaccount.com
|
Cloud Memorystore Redis Service Agent ( roles/redis.serviceAgent)
|
| Cloud Network Management Service Account |
gcp-sa-networkmanagement.iam.gserviceaccount.com
|
GCP Network Management Service Agent ( roles/networkmanagement.serviceAgent)
|
| Cloud Optimization Service Agent |
gcp-sa-cloudoptim.iam.gserviceaccount.com
|
Cloud Optimization Service Agent ( roles/cloudoptimization.serviceAgent)
|
| Cloud Pub/Sub Service Account |
gcp-sa-pubsub.iam.gserviceaccount.com
|
Cloud Pub/Sub Service Agent ( roles/pubsub.serviceAgent)
|
| Cloud Risk Manager Service Agent |
gcp-sa-riskmanager.iam.gserviceaccount.com
|
None |
| Cloud SQL Service Account |
gcp-sa-cloud-sql.iam.gserviceaccount.com
|
Cloud SQL Service Agent ( roles/cloudsql.serviceAgent)
|
| Cloud SQL Service Agent |
gcp-sa-cloud-sql.iam.gserviceaccount.com
|
None |
| Cloud Scheduler Service Account |
gcp-sa-cloudscheduler.iam.gserviceaccount.com
|
Cloud Scheduler Service Agent ( roles/cloudscheduler.serviceAgent)
|
| Cloud Security Command Center Notification Service Account |
gcp-sa-scc-notification.iam.gserviceaccount.com
|
Security Center Notification Service Agent ( roles/securitycenter.notificationServiceAgent)
|
| Cloud Security Command Center Service Agent |
security-center-api.iam.gserviceaccount.com
|
None |
| Cloud Source Repositories Service Agent |
sourcerepo-service-accounts.iam.gserviceaccount.com
|
Cloud Source Repositories Service Agent ( roles/sourcerepo.serviceAgent)
|
| Cloud Spanner Production Service Account |
gcp-sa-spanner.iam.gserviceaccount.com
|
None |
| Cloud Storage for Firebase Service Agent |
gcp-sa-firebasestorage.iam.gserviceaccount.com
|
Cloud Storage for Firebase Service Agent ( roles/firebasestorage.serviceAgent)
|
| Cloud Tasks Service Account |
gcp-sa-cloudtasks.iam.gserviceaccount.com
|
Cloud Tasks Service Agent ( roles/cloudtasks.serviceAgent)
|
| Cloud Trace Service Account |
gcp-sa-cloud-trace.iam.gserviceaccount.com
|
None |
| Cloud Translation Service Agent |
gcp-sa-translation.iam.gserviceaccount.com
|
Cloud Translation API Service Agent ( roles/cloudtranslate.serviceAgent)
|
| Cloud VM Migration Service Account |
gcp-sa-vmmigration.iam.gserviceaccount.com
|
None |
| Cloud Web Security Scanner Service Agent |
gcp-sa-websecurityscanner.iam.gserviceaccount.com
|
Cloud Web Security Scanner Service Agent ( roles/websecurityscanner.serviceAgent)
|
| Cloud Workflows Service Agent |
gcp-sa-workflows.iam.gserviceaccount.com
|
Cloud Workflows Service Agent ( roles/workflows.serviceAgent)
|
| Compute Engine Service Agent |
compute-system.iam.gserviceaccount.com
|
Compute Engine Service Agent ( roles/compute.serviceAgent)
|
| Connectors Service Account |
gcp-sa-connectors.iam.gserviceaccount.com
|
None |
| Contact Center AI Insights Service Account |
gcp-sa-contactcenterinsights.iam.gserviceaccount.com
|
Contact Center AI Insights Service Agent ( roles/contactcenterinsights.serviceAgent)
|
| Container Analysis Service Agent |
container-analysis.iam.gserviceaccount.com
|
Container Analysis Service Agent ( roles/containeranalysis.ServiceAgent)
|
| Container Scanning Service Agent |
gcp-sa-containerscanning.iam.gserviceaccount.com
|
Container Scanner Service Agent ( roles/containerscanning.ServiceAgent)
|
| Container Threat Detection Service Agent |
gcp-sa-ktd-control.iam.gserviceaccount.com
|
Container Threat Detection Service Agent ( roles/containerthreatdetection.serviceAgent)
|
| Data Connectors Service Account |
gcp-sa-dataconnectors.iam.gserviceaccount.com
|
Data Connectors Service Agent ( roles/dataconnectors.serviceAgent)
|
| Data Labeling Service Account |
gcp-sa-datalabeling.iam.gserviceaccount.com
|
Data Labeling Service Agent ( roles/datalabeling.serviceAgent)
|
| Data Pipelines Service Agent |
gcp-sa-datapipelines.iam.gserviceaccount.com
|
Datapipelines Service Agent ( roles/datapipelines.serviceAgent)
|
| Data Studio Service Account |
gcp-sa-datastudio.iam.gserviceaccount.com
|
Data Studio Service Agent ( roles/datastudio.serviceAgent)
|
| Dataproc Metastore Service Account |
gcp-sa-metastore.iam.gserviceaccount.com
|
Dataproc Metastore Service Agent ( roles/metastore.serviceAgent)
|
| Deprecated Monitoring Service Account |
gcp-sa-monitoring.iam.gserviceaccount.com
|
None |
| Dialogflow Service Agent |
gcp-sa-dialogflow.iam.gserviceaccount.com
|
Dialogflow Service Agent ( roles/dialogflow.serviceAgent)
|
| DocumentAI Core Service Agent |
gcp-sa-prod-dai-core.iam.gserviceaccount.com
|
DocumentAI Core Service Agent ( roles/documentaicore.serviceAgent)
|
| Edge Container Service Agent |
gcp-sa-edgecontainer.iam.gserviceaccount.com
|
None |
| Endpoints Consumer Portal Service Agent |
endpoints-portal.iam.gserviceaccount.com
|
Endpoints Portal Service Agent ( roles/endpointsportal.serviceAgent)
|
| Eventarc Service Agent |
gcp-sa-eventarc.iam.gserviceaccount.com
|
Eventarc Service Agent ( roles/eventarc.serviceAgent)
|
| External Key Management Service Service Account |
gcp-sa-ekms.iam.gserviceaccount.com
|
None |
| Firebase App Check Service Account |
gcp-sa-firebaseappcheck.iam.gserviceaccount.com
|
Firebase App Check Service Agent ( roles/firebaseappcheck.serviceAgent)
|
| Firebase Extensions Service Agent |
gcp-sa-firebasemods.iam.gserviceaccount.com
|
Firebase Extensions API Service Agent ( roles/firebasemods.serviceAgent)
|
| Firebase Management Service Agent |
gcp-sa-firebase.iam.gserviceaccount.com
|
Firebase Service Management Service Agent ( roles/firebase.managementServiceAgent)
|
| Firebase Realtime Database Service Agent |
gcp-sa-firebasedatabase.iam.gserviceaccount.com
|
None |
| Firebase Rules Service Agent |
firebase-rules.iam.gserviceaccount.com
|
None |
| Firewall Insights Service Account |
gcp-sa-firewallinsights.iam.gserviceaccount.com
|
Cloud Firewall Insights Service Agent ( roles/firewallinsights.serviceAgent)
|
| G Suite Add-ons Service Account |
gcp-sa-gsuiteaddons.iam.gserviceaccount.com
|
None |
| GCP Workload Certificate Service Account |
gcp-sa-workloadcert.iam.gserviceaccount.com
|
Workload Certificate Service Agent ( roles/workloadcertificate.serviceAgent)
|
| GKE Hub API Service Account |
gcp-sa-gkehub.iam.gserviceaccount.com
|
GKE Hub Service Agent ( roles/gkehub.serviceAgent)
|
| Game Services Agent |
gcp-sa-gameservices.iam.gserviceaccount.com
|
Game Services Service Agent ( roles/gameservices.serviceAgent)
|
| Gke On-Prem Service Account |
gcp-sa-gkeonprem.iam.gserviceaccount.com
|
None |
| Google Cloud Dataproc Service Agent |
dataproc-accounts.iam.gserviceaccount.com
|
Dataproc Service Agent ( roles/dataproc.serviceAgent)
|
| Google Cloud Functions Service Agent |
gcf-admin-robot.iam.gserviceaccount.com
|
Cloud Functions Service Agent ( roles/cloudfunctions.serviceAgent)
|
| Google Cloud ML Engine Service Agent |
cloud-ml.google.com.iam.gserviceaccount.com
|
AI Platform Service Agent ( roles/ml.serviceAgent)
|
| Google Cloud OS Config Service Agent |
gcp-sa-osconfig.iam.gserviceaccount.com
|
Cloud OS Config Service Agent ( roles/osconfig.serviceAgent)
|
| Google Cloud Run Service Agent |
serverless-robot-prod.iam.gserviceaccount.com
|
Cloud Run Service Agent ( roles/run.serviceAgent)
|
| Google Container Registry Service Agent |
containerregistry.iam.gserviceaccount.com
|
Container Registry Service Agent ( roles/containerregistry.ServiceAgent)
|
| Google Genomics Service Agent |
genomics-api.google.com.iam.gserviceaccount.com
|
Genomics Service Agent ( roles/genomics.serviceAgent)
|
| Google Storage Service Agent |
gs-project-accounts.iam.gserviceaccount.com
|
None |
| IAP Service Account |
gcp-sa-iap.iam.gserviceaccount.com
|
None |
| Integrations Service Agent |
gcp-sa-integrations.iam.gserviceaccount.com
|
Integrations Service Agent ( roles/integrations.serviceAgent)
|
| KRM API Hosting Service Account |
gcp-sa-krmapihosting.iam.gserviceaccount.com
|
None |
| KRM API Hosting Service Account |
gcp-sa-krmapihosting-dataplane.iam.gserviceaccount.com
|
None |
| Kubernetes Engine Node Service Agent |
gcp-sa-gkenode.iam.gserviceaccount.com
|
None |
| Kubernetes Engine Service Agent |
container-engine-robot.iam.gserviceaccount.com
|
Kubernetes Engine Service Agent ( roles/container.serviceAgent)
|
| Livestream Service Account |
gcp-sa-livestream.iam.gserviceaccount.com
|
Live Stream Service Agent ( roles/livestream.serviceAgent)
|
| Logging Service Agent |
gcp-sa-logging.iam.gserviceaccount.com
|
None |
| Mesh Config Service Account |
gcp-sa-meshconfig.iam.gserviceaccount.com
|
Mesh Config Service Agent ( roles/meshconfig.serviceAgent)
|
| Monitoring Service Account |
gcp-sa-monitoring-notification.iam.gserviceaccount.com
|
Monitoring Service Agent ( roles/monitoring.notificationServiceAgent)
|
| Multi Cluster Ingress Service Account |
gcp-sa-multiclusteringress.iam.gserviceaccount.com
|
Multi Cluster Ingress Service Agent ( roles/multiclusteringress.serviceAgent)
|
| Multi cluster metering Service Account |
gcp-sa-mcmetering.iam.gserviceaccount.com
|
Multi-cluster metering Service Agent ( roles/multiclustermetering.serviceAgent)
|
| Multi-cluster Service Discovery Service Account |
gcp-sa-mcsd.iam.gserviceaccount.com
|
None |
| Network Connectivity Service Account |
gcp-sa-networkconnectivity.iam.gserviceaccount.com
|
None |
| On-Demand Scanning Service Account |
gcp-sa-ondemandscanning.iam.gserviceaccount.com
|
None |
| Playbook Runner Service Agent |
gcp-sa-playbooks.iam.gserviceaccount.com
|
None |
| Private CA Service Account |
gcp-sa-privateca.iam.gserviceaccount.com
|
None |
| Pub/Sub Lite Service Account |
gcp-sa-pubsublite.iam.gserviceaccount.com
|
None |
| Remote Build Execution Service Agent |
gcp-sa-rbe.iam.gserviceaccount.com
|
None |
| Remote Build Execution Service Agent |
remotebuildexecution.iam.gserviceaccount.com
|
Remote Build Execution Service Agent ( roles/remotebuildexecution.serviceAgent)
|
| Retail Service Account |
gcp-sa-retail.iam.gserviceaccount.com
|
Retail Service Agent ( roles/retail.serviceAgent)
|
| Secret Manager Service Account |
gcp-sa-secretmanager.iam.gserviceaccount.com
|
None |
| Secured Landing Zone Service Account |
gcp-sa-slz.iam.gserviceaccount.com
|
Secured Landing Zone Service Agent ( roles/securedlandingzone.serviceAgent)
|
| Serverless VPC Access Service Agent |
gcp-sa-vpcaccess.iam.gserviceaccount.com
|
Serverless VPC Access Service Agent ( roles/vpcaccess.serviceAgent)
|
| Service Consumer Management Service Agent |
service-consumer-management.iam.gserviceaccount.com
|
None |
| Service Directory Service Account |
gcp-sa-servicedirectory.iam.gserviceaccount.com
|
Service Directory Service Agent ( roles/servicedirectory.serviceAgent)
|
| Service Networking Service Agent |
service-networking.iam.gserviceaccount.com
|
Service Networking Service Agent ( roles/servicenetworking.serviceAgent)
|
| Speech-to-Text Service Account |
gcp-sa-speech.iam.gserviceaccount.com
|
Cloud Speech-to-Text Service Agent ( roles/speech.serviceAgent)
|
| Storage Transfer Service Service Agent |
storage-transfer-service.iam.gserviceaccount.com
|
None |
| Stream Service Account |
gcp-sa-stream.iam.gserviceaccount.com
|
None |
| TPU Service Agent |
cloud-tpu.iam.gserviceaccount.com
|
Cloud TPU API Service Agent ( roles/tpu.serviceAgent)
|
| TPU Service Agent (v2) |
gcp-sa-tpu.iam.gserviceaccount.com
|
Cloud TPU V2 API Service Agent ( roles/cloudtpu.serviceAgent)
|
| Transcoder Service Account |
gcp-sa-transcoder.iam.gserviceaccount.com
|
Transcoder Service Agent ( roles/transcoder.serviceAgent)
|
| Transfer Appliance Service Account |
gcp-sa-transferappliance.iam.gserviceaccount.com
|
None |
| VMwareEngine Service Account |
gcp-sa-vmwareengine.iam.gserviceaccount.com
|
None |
| Virtual Machine Threat Detection Service Account |
gcp-sa-scc-vmtd.iam.gserviceaccount.com
|
None |