Configure a service account in Application Design Center

A service account is a special kind of account used by an application or compute workload, such as a Compute Engine instance, rather than a person. A service account is identified by its email address, which is unique to the account. For more information, see Service accounts overview.

This document describes the connections and parameters you can configure when using App Design Center to create a service account. The configuration parameters are based on the terraform-google-service-accounts Terraform module.

Component connections

The following table includes the components that you can connect to a service account, and the resulting updates to your application and its generated Terraform code.

Connected component

Application updates

Background information

Compute Engine instance template

  • The Compute Engine instance template uses the connected service account instead of creating a new service account. The connected service account is used for authentication and authorization to other Google Cloud services.
  • The service account email and IAM information are added to the Compute Engine instance template.
Create a VM that uses a user-managed service account

Secret Manager

  • The service account can access the secret data.
  • The roles/secretmanager.secretAccessor role is assigned to the service account.
Manage access to secrets

BigQuery

  • The service account can read and modify data in the BigQuery dataset.
  • The BigQuery roles/bigquery.dataEditor role is added to the service account.
BigQuery IAM roles and permissions

Cloud Run

  • The Cloud Run service uses the service account as a service identity.
  • The roles/run.invoker role is added to the service account.
  • The service account email and IAM information are added to the Cloud Run instance.
Authenticating service-to-service

Cloud SQL (MySQL)

  • The service account can connect to the Cloud SQL (MySQL) instance.
  • The roles/cloudsql.instanceUser and roles/cloudsql.client roles are added to the service account.
  • The service account IAM information is added to the Cloud SQL instance.
Roles and permissions

Cloud SQL (PostgreSQL)

  • The service account can connect to the Cloud SQL (PostgreSQL) instance.
  • The roles/cloudsql.instanceUser and roles/cloudsql.client roles are added to the service account.
  • The service account IAM information is added to the Cloud SQL instance.
Roles and permissions

Cloud Storage

  • The service account can manage objects in the Cloud Storage bucket.
  • The service account IAM information is added to the Cloud Storage bucket.
  • The roles/storage.objectAdmin role is assigned to the service account.
Set and manage IAM policies on buckets

Memorystore for Redis

  • The service account can manage the Memorystore for Redis instance.
  • The roles/redis.editor role is added to the service account.
The Memorystore for Redis service account

Pub/Sub

  • The service account can manage Pub/Sub topics, and pull messages from subscriptions.
  • The roles/pubsub.editor role is added to the service account.
  • The service account name and email information is added to the Pub/Sub pull subscription.
Access control with IAM

Spanner

  • The service account has access to the Spanner instance.
  • The service account is added as an IAM user to the Spanner instance.
Configure an instance with a service account

Vertex AI

  • The service account can interact with Vertex AI services.
  • The roles/aiplatform.user role is added to the service account.
Vertex AI access control with IAM

Required configuration parameters

If your template includes a service account component, you must configure the following parameters before you deploy.

Parameter name

Description and constraints

Background information

Project ID

The project where you want to create the service account resource.

Configure components

Name

An identifier that must be between 6 and 30 characters. Can contain lowercase alphanumeric characters and dashes. For example, my-service-account.

Create service accounts

Optional configuration parameters

The following parameters are optional. To display advanced parameters, in the Configuration area, select Show advanced fields.

Parameter name

Description and constraint information

Background information

Display Name

A user-readable name for the service account.

Create service accounts

Description

A user-readable description.

Create service accounts
Project roles project_roles Manage access to projects, folders, and organizations