Set up ADC for a resource with an attached service account
Stay organized with collections
Save and categorize content based on your preferences.
Some Google Cloud services—such as Compute Engine, App Engine, and
Cloud Run functions—support attaching a
user-managed service account to some types of resources.
Generally, attaching a service account is supported when that service's
resources can run or include application code. When you attach a service account
to a resource, the code running on the resource can use that service account as
its identity.
Attaching a user-managed service account is the preferred way to provide
credentials to ADC for production code running on Google Cloud.
For help determining the roles that you need to provide to
your service account, see Choose predefined roles.
For information about which resources you can attach a service account to, and
help with attaching the service account to the resource, see the
IAM documentation on attaching a service account.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-17 UTC."],[[["User-managed service accounts can be attached to certain Google Cloud resources, such as Compute Engine, App Engine, and Cloud Run, allowing application code to use that service account's identity."],["Attaching a user-managed service account is the recommended method for providing credentials to Application Default Credentials (ADC) for production code, rather than using the default service account, which often has overly broad privileges."],["To set up authentication, a user-managed service account needs to be created using the `gcloud iam service-accounts create` command."],["Roles must be granted to the service account to manage access to resources, using the `gcloud projects add-iam-policy-binding` command, ensuring the use of specific predefined or custom roles rather than overly broad roles like Owner, Editor, or Viewer."],["The principal attaching the service account to other resources needs the `roles/iam.serviceAccountUser` role, which is provided using the `gcloud iam service-accounts add-iam-policy-binding` command."]]],[]]
