Stay organized with collections
Save and categorize content based on your preferences.
When developers preview and deploy
applications, they can use
an existing service account, or a new
service account can be automatically created. If you want developers to use your
service account, you must do the following:
Add IAM policy bindings to the service account and user account.
Grant the service account the roles required
to deploy each resource.
Add permissions to the service account to deploy outside of the project where
the service account was created.
Update your organization policies to allow service accounts to be used across
projects.
To configure your service accounts, do the following:
Add an IAM policy binding for the role of
roles/iam.serviceAccountUser role for the service agent to your service
account:
SERVICE_ACCOUNT_EMAIL: Your service account email.
USER_EMAIL: The user email for the user who performs the deployment.
In the project that has your service account, add IAM
policy bindings for the required service agent roles on the management project
that contains your space:
SERVICE_ACCOUNT_PROJECT_ID: The project ID of the
project that contains your service account.
MANAGEMENT_PROJECT_NUMBER: The project
number of the management project
that contains your space.
In the project that has your service account, ensure that the
iam.disableCrossProjectServiceAccountUsage organization policy constraint
is not enforced. This constraint is enforced by default.
To disable enforcement of the organization policy constraint, run the
following command:
SERVICE_ACCOUNT_PROJECT_ID: The project ID of the
project that contains your service account.
DEPLOYMENT_PROJECT_NUMBER: The project
number of the project where you're deploying resources.
App Design Center uses Infrastructure Manager to deploy
applications in the console. To use your own service
account to deploy with Infrastructure Manager, complete the steps in Grant access to projects.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[],[],null,["# Grant roles to your service account\n\n| **Preview**\n|\n|\n| This product is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA products are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nWhen developers [preview and deploy\napplications](/application-design-center/docs/deploy-from-console), they can use\nan existing [service account](/iam/docs/service-account-overview), or a new\nservice account can be automatically created. If you want developers to use your\nservice account, you must do the following:\n\n- Add IAM policy bindings to the service account and user account.\n- Grant the service account the [roles](/iam/docs/understanding-roles) required to deploy each resource.\n- Add permissions to the service account to deploy outside of the project where the service account was created.\n- Update your organization policies to allow service accounts to be used across projects.\n\nTo configure your service accounts, do the following:\n\n1. Add an IAM policy binding for the role of\n `roles/iam.serviceAccountUser` role for the service agent to your service\n account:\n\n gcloud iam service-accounts add-iam-policy-binding \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_EMAIL\u003c/var\u003e \\\n --member=\"serviceAccount:service-\u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_PROJECT_ID\u003c/var\u003e@gcp-sa-designcenter.iam.gserviceaccount.com\" \\\n --role=\"roles/iam.serviceAccountUser\"\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_EMAIL\u003c/var\u003e: Your service account email.\n - \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_PROJECT_ID\u003c/var\u003e: The project ID of the project that contains your service account.\n2. Add an IAM policy binding for the role of\n `roles/iam.serviceAccountUser` for a user to your service account:\n\n gcloud iam service-accounts add-iam-policy-binding \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_EMAIL\u003c/var\u003e \\\n --member=\"user:\u003cvar translate=\"no\"\u003eUSER_EMAIL\u003c/var\u003e\" \\\n --role=\"roles/iam.serviceAccountUser\"\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_EMAIL\u003c/var\u003e: Your service account email.\n - \u003cvar translate=\"no\"\u003eUSER_EMAIL\u003c/var\u003e: The user email for the user who performs the deployment.\n3. In the project that has your service account, add IAM\n policy bindings for the required service agent roles on the [management project](/resource-manager/docs/manage-applications#management-project)\n that contains your space:\n\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_PROJECT_ID\u003c/var\u003e \\\n --member=\"serviceAccount:service-\u003cvar translate=\"no\"\u003eMANAGEMENT_PROJECT_NUMBER\u003c/var\u003e@gcp-sa-designcenter.iam.gserviceaccount.com\" \\\n --role=\"roles/apphub.editor\"\n\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_PROJECT_ID\u003c/var\u003e \\\n --member=\"serviceAccount:service-\u003cvar translate=\"no\"\u003eMANAGEMENT_PROJECT_NUMBER\u003c/var\u003e@gcp-sa-designcenter.iam.gserviceaccount.com\" \\\n --role=\"roles/config.agent\"\n\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_PROJECT_ID\u003c/var\u003e \\\n --member=\"serviceAccount:service-\u003cvar translate=\"no\"\u003eMANAGEMENT_PROJECT_NUMBER\u003c/var\u003e@gcp-sa-designcenter.iam.gserviceaccount.com\" \\\n --role=\"roles/serviceusage.ServiceUsageAdmin\"\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_PROJECT_ID\u003c/var\u003e: The project ID of the project that contains your service account.\n - \u003cvar translate=\"no\"\u003eMANAGEMENT_PROJECT_NUMBER\u003c/var\u003e: The project number of the [management project](/resource-manager/docs/manage-applications#management-project) that contains your space.\n4. In the project that has your service account, ensure that the\n `iam.disableCrossProjectServiceAccountUsage` organization policy constraint\n is not enforced. This constraint is enforced by default.\n\n To disable enforcement of the organization policy constraint, run the\n following command: \n\n gcloud resource-manager org-policies disable-enforce \\\n iam.disableCrossProjectServiceAccountUsage \\\n --project=\u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_PROJECT_ID\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_PROJECT_ID\u003c/var\u003e: The project ID of the project that contains your service account.\n5. Grant your service account the roles required to deploy resources in\n projects. The required roles are displayed when\n developers [deploy applications](/application-design-center/docs/deploy-from-console).\n\n For example, to grant the `roles/run.admin` role, add the following policy\n binding: \n\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_PROJECT_ID\u003c/var\u003e \\\n --member=\"serviceAccount:service-\u003cvar translate=\"no\"\u003eDEPLOYMENT_PROJECT_NUMBER\u003c/var\u003e@gcp-sa-designcenter.iam.gserviceaccount.com\" \\\n --role=\"roles/run.admin\"\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_PROJECT_ID\u003c/var\u003e: The project ID of the project that contains your service account.\n - \u003cvar translate=\"no\"\u003eDEPLOYMENT_PROJECT_NUMBER\u003c/var\u003e: The project number of the project where you're deploying resources.\n6. App Design Center uses Infrastructure Manager to deploy\n applications in the console. To use your own service\n account to deploy with Infrastructure Manager, complete the steps in [Grant access to projects](/infrastructure-manager/docs/configure-service-account#grant_access_to_projects).\n\nWhat's next\n-----------\n\n- [Manage applications](/application-design-center/docs/manage-application-instances)\n- [Deploy an application from the console](/application-design-center/docs/deploy-from-console)"]]
