Connect using service accounts
This document describes how to use aservice account to connect toCompute Engine virtual machine (VM) instances using SSH. Setting up SSH for aservice account enables you toconfigure apps to use SSH, whichcan help you to automate your workloads.
Before you begin
- Create a service account.
- If you haven't already, set upauthentication. Authentication verifies your identity for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:
Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:
gcloudinit
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.- Set a default region and zone.
Manually connect to VMs as a service account
To connect to VMs as a service account, use one of the following methods:
Note: If you are connecting from a machine that is hosted outside ofGoogle Cloud you must directly impersonate the service account.Directly impersonate service account
To perform this task, you must have the followingpermissions:Permissions required for this task
roles/iam.serviceAccountTokenCreator), on the service account. For details about how to grant this role on a singular service account, seeManage access to service accounts.compute.projects.setCommonInstanceMetadata permission.
Use the gcloud CLI--impersonate-service-account flagto connect directly to a VM using a service account's identity. Run thefollowing command to connect to a VM as a service account:
gcloud compute sshVM_NAME \ --impersonate-service-account=SERVICE_ACCOUNT_EMAIL
Replace the following:
VM_NAME: the name of the VM you want to connect tothe service account as.SERVICE_ACCOUNT_EMAIL: the email addressassociated with the service account.
Impersonate service account from a VM
To perform this task, you must have the followingpermissions: You must additionallyassign your service account to a VM and set thePermissions required for this task
roles/iam.serviceAccountUser) on the service account and your user account. For details about how to grant this role on a singular service account, seeManage access to service accounts.compute.projects.setCommonInstanceMetadata permission on theservice account and your user account.cloud-platform access scopeon the VM.
Impersonate a service account from another VM by doing the following:
- Connect to the VM that runs as a service account.
From the VM that runs as a service account, connect to other VMs usingthe same methods.
Note: Connection attempts made from within the VM thatruns as the service account use the service account's identity.
What's next
- Learn how toconfigure apps to use SSH.
- Learn more about abouthow SSH connections work in Compute Engine,including SSH key configuration and storage.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.