Connect using service accounts

This document describes how to use a service account to connect to Compute Engine virtual machine (VM) instances using SSH. Setting up SSH for a service account enables you to configure apps to use SSH , which can help you to automate your workloads.

Before you begin

Create a service account .
If you haven't already, set up authentication . Authentication verifies your identity for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:
1. Install the Google Cloud CLI. After installation, initialize the Google Cloud CLI by running the following command:
```
gcloud  
init
```
  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity .
  
  Note:If you installed the gcloud CLI previously, make sure you have the latest version by running gcloud components update .
2. Set a default region and zone .

Manually connect to VMs as a service account

To connect to VMs as a service account, use one of the following methods:

Directly impersonate service account

Permissions required for this task

To perform this task, you must have the following permissions :

All the permissions included in the Service Account Token Creator role ( roles/iam.serviceAccountTokenCreator ) , on the service account. For details about how to grant this role on a singular service account, see Manage access to service accounts .
If you use OS Login, you require all the permissions included one of the OS Login IAM roles on the service account.
If you don't use OS Login, the service account also requires the compute.projects.setCommonInstanceMetadata permission.

Use the gcloud CLI --impersonate-service-account flag to connect directly to a VM using a service account's identity. Run the following command to connect to a VM as a service account:

gcloud compute ssh VM_NAME 
\
    --impersonate-service-account= SERVICE_ACCOUNT_EMAIL

Replace the following:

VM_NAME : the name of the VM you want to connect to the service account as.
SERVICE_ACCOUNT_EMAIL : the email address associated with the service account.

What's next

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License , and code samples are licensed under the Apache 2.0 License . For details, see the Google Developers Site Policies . Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-11-15 UTC.

Connect using service accounts Stay organized with collections Save and categorize content based on your preferences.

Before you begin

Manually connect to VMs as a service account

Directly impersonate service account

Permissions required for this task

Impersonate service account from a VM

Permissions required for this task

What's next

Connect using service accounts