Some Google Cloud services—such as Compute Engine, App Engine, andCloud Run functions—support attaching auser-managed service account to some types of resources.Generally, attaching a service account is supported when that service'sresources can run or include application code. When you attach a service accountto a resource, the code running on the resource can use that service account asits identity.

Attaching a user-managed service account is the preferred way to providecredentials to ADC for production code running on Google Cloud.

Note: Many of these Google Cloud services also provide a default serviceaccount. Using the default service account is not recommended, because bydefault the default service account is highly privileged, which violates theprinciple of least privilege.

For help determining the roles that you need to provide toyour service account, seeChoose predefined roles.

For information about which resources you can attach a service account to, andhelp with attaching the service account to the resource, see theIAM documentation on attaching a service account.

Set up authentication:

1. Ensure that you have the Create Service Accounts IAM role (roles/iam.serviceAccountCreator) and the Project IAM Admin role (roles/resourcemanager.projectIamAdmin).Learn how to grant roles.

2. Create the service account:

   gcloudiamservice-accountscreateSERVICE_ACCOUNT_NAME

   ReplaceSERVICE_ACCOUNT_NAME with a name for the service account.

3. To provide access to your project and your resources, grant a role to the service account:

   gcloudprojectsadd-iam-policy-bindingPROJECT_ID--member="serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com"--role=ROLE

   Replace the following:

   • SERVICE_ACCOUNT_NAME: the name of the service account
   • PROJECT_ID: the project ID where you created the service account
   • ROLE: the role to grant
   Note: The--role flag affects which resources the service account can access in your project. You can revoke these roles or grant additional roles later. In production environments, do not grant the Owner, Editor, or Viewer roles. Instead, grant apredefined role orcustom role that meets your needs.
4. To grant another role to the service account, run the command as you did in the previous step.

5. Grant the required role to the principal that will attach the service account to other resources.

   gcloudiamservice-accountsadd-iam-policy-bindingSERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com--member="user:USER_EMAIL"--role=roles/iam.serviceAccountUser

   Replace the following:

   • SERVICE_ACCOUNT_NAME: the name of the service account
   • PROJECT_ID: the project ID where you created the service account
   • USER_EMAIL: the email address for a Google Account

What's next

• Understand best practices for usingservice accounts andservice account keys.
• Learn more abouthow ADC finds credentials.
• Authenticate for using Cloud Client Libraries.
• Exploreauthentication methods.