A service account is a special kind of account used by an application or compute workload, such as a Compute Engine instance, rather than a person. A service account is identified by its email address, which is unique to the account. For more information, see Service accounts overview .
This document describes the connections and parameters you can configure when using App Design Center to create a service account. The configuration parameters are based on the terraform-google-service-accounts Terraform module.
Component connections
The following table includes the components that you can connect to a service account, and the resulting updates to your application and its generated Terraform code.
Connected component
Application updates
Background information
- The Compute Engine instance template uses the connected service account instead of creating a new service account. The connected service account is used for authentication and authorization to other Google Cloud services.
- The service account email and IAM information are added to the Compute Engine instance template.
- The service account can access the secret data.
- The
roles/secretmanager.secretAccessorrole is assigned to the service account.
- The service account can be used by services, such as Cloud Run, to read and modify data in the BigQuery dataset.
- The BigQuery
roles/bigquery.dataEditorrole is added to the service account.
- The Cloud Run service uses the service account as a service identity .
- The
roles/run.invokerrole is added to the service account. - The service account email and IAM information are added to the Cloud Run instance.
- The service account can connect to the Cloud SQL (MySQL) instance.
- The
roles/cloudsql.instanceUserandroles/cloudsql.clientroles are added to the service account. - The service account IAM information is added to the Cloud SQL instance.
- The service account can connect to the Cloud SQL (PostgreSQL) instance.
- The
roles/cloudsql.instanceUserandroles/cloudsql.clientroles are added to the service account. - The service account IAM information is added to the Cloud SQL instance.
- The service account can manage objects in the Cloud Storage bucket.
- The service account IAM information is added to the Cloud Storage bucket.
- The
roles/storage.objectAdminrole is assigned to the service account.
- The service account can manage the Memorystore for Redis instance.
- The
roles/redis.editorrole is added to the service account.
- The service account can manage Pub/Sub topics, and pull messages from subscriptions.
- The
roles/pubsub.editorrole is added to the service account. - The service account name and email information is added to the Pub/Sub pull subscription.
- The service account has access to the Spanner instance.
- The service account is added as an IAM user to the Spanner instance.
- The service account can interact with Vertex AI services.
- The
roles/aiplatform.userrole is added to the service account.
Required configuration parameters
If your template includes a service account component, you must configure the following parameters before you deploy.
| Parameter name |
Description and constraints |
Background information |
|---|---|---|
| Project ID |
The project where you want to create the service account resource. |
Configure components |
| Name |
An identifier that must be between 6 and 30 characters. Can contain lowercase alphanumeric characters and dashes. For example, |
Create service accounts |
Optional configuration parameters
The following parameters are optional. To display advanced parameters, in the Configurationarea, select Show advanced fields.
| Parameter name |
Description and constraint information |
Background information |
|---|---|---|
| Display Name |
A user-readable name for the service account. |
Create service accounts |
| Description |
A user-readable description. |
Create service accounts |
|
Project roles
|
project_roles | Manage access to projects, folders, and organizations |
