Stay organized with collections
Save and categorize content based on your preferences.
This document shows how to create a service account for accessing
GKE Enterprise components.
The instructions here are part of a quickstart. For full instructions on using
service accounts with Google Distributed Cloud, see
Service accounts and keys.
Google Distributed Cloud uses a service account to download
GKE Enterprise components, on your behalf, from
Container Registry.
This account is called the component access service account.
This quickstart uses a single Google Cloud project. Your component access service
account will be a child of that Google Cloud project and will be granted
roles on that same Google Cloud project.
To create a component access service account:
gcloud iam service-accounts create component-access-sa \
--display-name "Component Access Service Account" \
--project PROJECT_ID
Replace PROJECT_ID with the ID of your Google Cloud project.
To create a JSON key for your component access service account:
gcloud iam service-accounts keys create component-access-key.json \
--iam-account component-access-sa@[PROJECT_ID].iam.gserviceaccount.com
Granting roles to your component access service account
Your component access service account must be granted the following
IAM roles on your
Google Cloud project. These roles are required so that Google Distributed Cloud
can do preflight checks:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis document provides a quickstart guide on creating a service account for accessing GKE Enterprise components.\u003c/p\u003e\n"],["\u003cp\u003eA component access service account is created to allow Google Distributed Cloud to download GKE Enterprise components from Container Registry.\u003c/p\u003e\n"],["\u003cp\u003eThe guide outlines the commands to create the component access service account and generate a JSON key for it using \u003ccode\u003egcloud\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eThe component access service account needs specific IAM roles on the Google Cloud project, including \u003ccode\u003eserviceusage.serviceUsageViewer\u003c/code\u003e, \u003ccode\u003eiam.serviceAccountCreator\u003c/code\u003e, and \u003ccode\u003eiam.roleViewer\u003c/code\u003e, for preflight checks.\u003c/p\u003e\n"],["\u003cp\u003eThe guide provides links for instructions on creating the Google cloud project and an admin workstation.\u003c/p\u003e\n"]]],[],null,["# Create a service account (quickstart)\n\nThis document shows how to create a service account for accessing\nGKE Enterprise components.\n\nThe instructions here are part of a quickstart. For full instructions on using\nservice accounts with Google Distributed Cloud, see\n[Service accounts and keys](/anthos/clusters/docs/on-prem/1.7/how-to/service-accounts).\n\nBefore you begin\n----------------\n\n[Create a Google Cloud project (quickstart)](/anthos/clusters/docs/on-prem/1.7/how-to/cloud-project-quickstart).\n\nCreate a component access service account\n-----------------------------------------\n\nGoogle Distributed Cloud uses a service account to download\nGKE Enterprise components, on your behalf, from\n[Container Registry](/container-registry).\nThis account is called the *component access service account*.\n\nThis quickstart uses a single Google Cloud project. Your component access service\naccount will be a child of that Google Cloud project and will be granted\nroles on that same Google Cloud project.\n\nTo create a component access service account:\n\n```\ngcloud iam service-accounts create component-access-sa \\\n --display-name \"Component Access Service Account\" \\\n --project PROJECT_ID\n```\n\nReplace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the ID of your Google Cloud project.\n\nTo create a JSON key for your component access service account:\n\n```\ngcloud iam service-accounts keys create component-access-key.json \\\n --iam-account component-access-sa@[PROJECT_ID].iam.gserviceaccount.com\n```\n\n### Granting roles to your component access service account\n\nYour component access service account must be granted the following\n[IAM roles](/iam/docs/understanding-roles) on your\nGoogle Cloud project. These roles are required so that Google Distributed Cloud\ncan do preflight checks:\n\n- `serviceusage.serviceUsageViewer`\n- `iam.serviceAccountCreator`\n- `iam.roleViewer`\n\nTo grant roles:\n\n```\ngcloud projects add-iam-policy-binding PROJECT_ID \\\n --member \"serviceAccount:component-access-sa@[PROJECT_ID].iam.gserviceaccount.com\" \\\n --role \"roles/serviceusage.serviceUsageViewer\"\n\ngcloud projects add-iam-policy-binding PROJECT_ID \\\n --member \"serviceAccount:component-access-sa@[PROJECT_ID].iam.gserviceaccount.com\" \\\n --role \"roles/iam.serviceAccountCreator\"\n\ngcloud projects add-iam-policy-binding PROJECT_ID \\\n --member \"serviceAccount:component-access-sa@[PROJECT_ID].iam.gserviceaccount.com\" \\\n --role \"roles/iam.roleViewer\"\n```\n\n### What's next\n\n[Create an admin workstation (quickstart)](/anthos/clusters/docs/on-prem/1.7/how-to/admin-workstation-quickstart)"]]