This document shows how to create a service account for accessing
GKE Enterprise components.
The instructions here are part of a quickstart. For full instructions on using
service accounts with Google Distributed Cloud, see
Service accounts and keys.
Google Distributed Cloud uses a service account to download
GKE Enterprise components, on your behalf, from
Container Registry.
This account is called the component access service account.
This sequence of quickstart topics uses a single Google Cloud project. You
established which Google Cloud project to use in the preceding quickstart
topic:
Google Cloud project (quickstart).
Your component access service
account will be a child of that same Google Cloud project and will be granted
roles on that Google Cloud project.
To create a component access service account:
gcloud iam service-accounts create component-access-sa \
--display-name "Component Access Service Account" \
--project PROJECT_ID
Replace PROJECT_ID with the ID of your Google Cloud project.
To create a JSON key for your component access service account:
gcloud iam service-accounts keys create component-access-key.json \
--iam-account component-access-sa@[PROJECT_ID].iam.gserviceaccount.com
Granting roles to your component access service account
Your component access service account must be granted the following
IAM roles on your
Google Cloud project. These roles are required so that Google Distributed Cloud
can do preflight checks:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis guide explains how to create a component access service account, which is used by Google Distributed Cloud to download GKE Enterprise components from Container Registry.\u003c/p\u003e\n"],["\u003cp\u003eThe component access service account should be created within the same Google Cloud project that was set up in the preceding quickstart, and will inherit project-level roles.\u003c/p\u003e\n"],["\u003cp\u003eTo set up the account, you will need to utilize \u003ccode\u003egcloud\u003c/code\u003e commands to create the service account and generate a JSON key file to access the account.\u003c/p\u003e\n"],["\u003cp\u003eThe service account requires the \u003ccode\u003eserviceusage.serviceUsageViewer\u003c/code\u003e, \u003ccode\u003eiam.roleViewer\u003c/code\u003e, and \u003ccode\u003eiam.serviceAccountViewer\u003c/code\u003e IAM roles on your Google Cloud project to allow Google Distributed Cloud to perform preflight checks.\u003c/p\u003e\n"]]],[],null,["# Create a service account (quickstart)\n\n\u003cbr /\u003e\n\nThis document shows how to create a service account for accessing\nGKE Enterprise components.\n\nThe instructions here are part of a quickstart. For full instructions on using\nservice accounts with Google Distributed Cloud, see\n[Service accounts and keys](/anthos/clusters/docs/on-prem/1.9/how-to/service-accounts).\n\nBefore you begin\n----------------\n\n[Create a Google Cloud project (quickstart)](/anthos/clusters/docs/on-prem/1.9/how-to/cloud-project-quickstart).\n\nCreate a component access service account\n-----------------------------------------\n\nGoogle Distributed Cloud uses a service account to download\nGKE Enterprise components, on your behalf, from\n[Container Registry](/container-registry).\nThis account is called the *component access service account*.\n\nThis sequence of quickstart topics uses a single Google Cloud project. You\nestablished which Google Cloud project to use in the preceding quickstart\ntopic:\n[Google Cloud project (quickstart)](/anthos/clusters/docs/on-prem/1.9/how-to/cloud-project-quickstart).\n\nYour component access service\naccount will be a child of that same Google Cloud project and will be granted\nroles on that Google Cloud project.\n\nTo create a component access service account:\n\n```\ngcloud iam service-accounts create component-access-sa \\\n --display-name \"Component Access Service Account\" \\\n --project PROJECT_ID\n```\n\nReplace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the ID of your Google Cloud project.\n\nTo create a JSON key for your component access service account:\n\n```\ngcloud iam service-accounts keys create component-access-key.json \\\n --iam-account component-access-sa@[PROJECT_ID].iam.gserviceaccount.com\n```\n\n### Granting roles to your component access service account\n\nYour component access service account must be granted the following\n[IAM roles](/iam/docs/understanding-roles) on your\nGoogle Cloud project. These roles are required so that Google Distributed Cloud\ncan do preflight checks:\n\n- serviceusage.serviceUsageViewer\n- iam.roleViewer\n- iam.serviceAccountViewer\n\nTo grant roles:\n\n```\ngcloud projects add-iam-policy-binding PROJECT_ID \\\n --member \"serviceAccount:component-access-sa@[PROJECT_ID].iam.gserviceaccount.com\" \\\n --role \"roles/serviceusage.serviceUsageViewer\"\n\ngcloud projects add-iam-policy-binding PROJECT_ID \\\n --member \"serviceAccount:component-access-sa@[PROJECT_ID].iam.gserviceaccount.com\" \\\n --role \"roles/iam.roleViewer\"\n\ngcloud projects add-iam-policy-binding PROJECT_ID \\\n --member \"serviceAccount:component-access-sa@[PROJECT_ID].iam.gserviceaccount.com\" \\\n --role \"roles/iam.serviceAccountViewer\"\n```\n\n### What's next\n\n[Create an admin workstation (quickstart)](/anthos/clusters/docs/on-prem/1.9/how-to/admin-workstation-quickstart)"]]