Run a VM as a service account
Stay organized with collections
Save and categorize content based on your preferences.
Assign a service account for a VM, add access scopes, and set up the VM to run as a service account.
Explore further
For detailed documentation that includes this code sample, see the following:
Code sample
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License
, and code samples are licensed under the Apache 2.0 License
. For details, see the Google Developers Site Policies
. Java is a registered trademark of Oracle and/or its affiliates.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],[],[[["\u003cp\u003eThis code sample demonstrates how to configure a Google Compute Engine VM to use a service account.\u003c/p\u003e\n"],["\u003cp\u003eThe configuration includes assigning a specific email to the service account and setting the scope to \u003ccode\u003ecloud-platform\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eIt utilizes Terraform to define the VM resource, including specifications for the boot disk, local SSD, and network interface.\u003c/p\u003e\n"],["\u003cp\u003eThe example showcases the recommended best practice of using a custom service account with specific permissions granted via IAM Roles to enhance security.\u003c/p\u003e\n"]]],[],null,["# Run a VM as a service account\n\nAssign a service account for a VM, add access scopes, and set up the VM to run as a service account.\n\nExplore further\n---------------\n\n\nFor detailed documentation that includes this code sample, see the following:\n\n- [Create a VM that uses a user-managed service account](/compute/docs/access/create-enable-service-accounts-for-instances)\n\nCode sample\n-----------\n\n### Terraform\n\n\nTo learn how to apply or remove a Terraform configuration, see\n[Basic Terraform commands](/docs/terraform/basic-commands).\n\n\nFor more information, see the\n[Terraform provider reference documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs).\n\n resource \"google_compute_instance\" \"default\" {\n name = \"my-test-vm\"\n machine_type = \"n1-standard-1\"\n zone = \"us-central1-a\"\n\n boot_disk {\n initialize_params {\n image = \"debian-cloud/debian-11\"\n }\n }\n\n // Local SSD disk\n scratch_disk {\n interface = \"SCSI\"\n }\n\n network_interface {\n network = \"default\"\n\n access_config {\n // Ephemeral public IP\n }\n }\n\n service_account {\n # Google recommends custom service accounts with `cloud-platform` scope with\n # specific permissions granted via IAM Roles.\n # This approach lets you avoid embedding secret keys or user credentials\n # in your instance, image, or app code\n email = google_service_account.default.email\n scopes = [\"cloud-platform\"]\n }\n }\n\nWhat's next\n-----------\n\n\nTo search and filter code samples for other Google Cloud products, see the\n[Google Cloud sample browser](/docs/samples?product=compute)."]]
