Service accounts in Google are a powerful tool to allow non-human, programmatic authentication for services (read more here for the basics on creating and using them). A key part of creating and maintaining service accounts is choosing the permission set they have in Google’s infrastructure.
We recommend generally following a process of least privilege; permission your service accounts with the bare minimum you think they need to perform the task, and then adjust upwards as needed. Google’s error messages will always include any missing permissions, making it straightforward to adjust. You can add more permissions after creating a service account if needed. You can go back to the service account page at any time and edit a service account’s permissions or principals by selecting the three dots next to its entry and clicking on ‘Manage permissions’. Additionally, the main IAM page will display all the permissions it currently has. We also recommend keeping a log of any service accounts you create for visibility across your team.
Below are some recommended starter permission sets for common use cases; note that Google’s permission structure is subject to change and you should always keep an eye out for updated permission needs. Google has comprehensive documentation on its permissions here.
Please note that only users with administrator and engineer PAD roles can set service account permissions.
I want to use the service account for Google Workflows or scripting:
Try starting with the custom Workflows role, which is a custom CTA role we created. You may want to create your own version that removes the iam.serviceAccounts.actAs permission, which allows the principal to execute code as a service account. This is needed for some services, like Cloud Functions or Cloud Build, but for simpler tasks is not necessary and can grant pretty wide-ranging powers over Google infrastructure in your project. Google also often has roles for each service that are specifically intended for service accounts, and we encourage users to research those when permissioning more advanced services like Google Workflows, Cloud Functions, or Cloud Build.
I want to use the service account to run scheduled queries in GCP:
Try starting with the BigQuery Job User role. This gives the service account access to the project and the ability to run BigQuery jobs in the project. If the account needs to read data, you can give it BigQuery Viewer access either for the whole project or for individual datasets (more information on granting to individual datasets below).
I want the services account to only be able to query a single dataset in the project:
Try starting with the BigQuery Job User role. This gives the service account access to the project and the ability to run BigQuery jobs in the project. Then, grant it the BQ Data Viewer role on only the specific dataset To grant it on the dataset, you can follow the same process you use to add viewers to datasets, just use the service account’s email account instead of a user’s email account (more here). This gives the service account access to run jobs in the project, but not to see all the data in the project.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article