Menyiapkan ADC untuk resource dengan akun layanan terlampir
Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Beberapa layanan Google Cloud —seperti fungsi Compute Engine, App Engine, dan
Cloud Run—mendukung pelampiran
akun layanan yang dikelola pengguna ke beberapa jenis resource.
Umumnya, pelampiran akun layanan didukung jika resource
layanan tersebut dapat berjalan atau menyertakan kode aplikasi. Saat Anda melampirkan akun layanan
ke resource, kode yang berjalan pada resource tersebut dapat menggunakan akun layanan tersebut sebagai
identitasnya.
Melampirkan akun layanan yang dikelola pengguna adalah cara yang lebih disukai untuk memberikan
kredensial ke ADC bagi kode produksi yang berjalan di Google Cloud.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-08-25 UTC."],[[["\u003cp\u003eUser-managed service accounts can be attached to certain Google Cloud resources, such as Compute Engine, App Engine, and Cloud Run, allowing application code to use that service account's identity.\u003c/p\u003e\n"],["\u003cp\u003eAttaching a user-managed service account is the recommended method for providing credentials to Application Default Credentials (ADC) for production code, rather than using the default service account, which often has overly broad privileges.\u003c/p\u003e\n"],["\u003cp\u003eTo set up authentication, a user-managed service account needs to be created using the \u003ccode\u003egcloud iam service-accounts create\u003c/code\u003e command.\u003c/p\u003e\n"],["\u003cp\u003eRoles must be granted to the service account to manage access to resources, using the \u003ccode\u003egcloud projects add-iam-policy-binding\u003c/code\u003e command, ensuring the use of specific predefined or custom roles rather than overly broad roles like Owner, Editor, or Viewer.\u003c/p\u003e\n"],["\u003cp\u003eThe principal attaching the service account to other resources needs the \u003ccode\u003eroles/iam.serviceAccountUser\u003c/code\u003e role, which is provided using the \u003ccode\u003egcloud iam service-accounts add-iam-policy-binding\u003c/code\u003e command.\u003c/p\u003e\n"]]],[],null,["# Set up ADC for a resource with an attached service account\n\nSome Google Cloud services---such as Compute Engine, App Engine, and\nCloud Run functions---support attaching a\n[user-managed service account](/iam/docs/service-account-types#user-created) to some types of resources.\nGenerally, attaching a service account is supported when that service's\nresources can run or include application code. When you attach a service account\nto a resource, the code running on the resource can use that service account as\nits identity.\n\nAttaching a user-managed service account is the preferred way to provide\ncredentials to ADC for production code running on Google Cloud.\n| **Note:** Many of these Google Cloud services also provide a default service account. Using the default service account is not recommended, because by default the default service account is highly privileged, which violates the [principle of least privilege](/iam/docs/using-iam-securely#least_privilege).\n\nFor help determining the roles that you need to provide to\nyour service account, see [Choose predefined roles](/iam/docs/choose-predefined-roles).\n\nFor information about which resources you can attach a service account to, and\nhelp with attaching the service account to the resource, see the\n[IAM documentation on attaching a service account](/iam/docs/attach-service-accounts#attaching-new-resource).\n\nSet up authentication:\n\n1.\n Create the service account:\n\n ```bash\n gcloud iam service-accounts create SERVICE_ACCOUNT_NAME\n ```\n\n\n Replace \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_NAME\u003c/var\u003e with a name for the service account.\n2.\n To provide access to your project and your resources, grant a role to the service account:\n\n ```bash\n gcloud projects add-iam-policy-binding PROJECT_ID --member=\"serviceAccount:\u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_NAME\u003c/var\u003e@\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e.iam.gserviceaccount.com\" --role=ROLE\n ```\n\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_NAME\u003c/var\u003e: the name of the service account\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the project ID where you created the service account\n - \u003cvar translate=\"no\"\u003eROLE\u003c/var\u003e: the role to grant\n\n | **Note** : The `--role` flag affects which resources the service account can access in your project. You can revoke these roles or grant additional roles later. In production environments, do not grant the Owner, Editor, or Viewer roles. Instead, grant a [predefined role](/iam/docs/understanding-roles#predefined_roles) or [custom role](/iam/docs/understanding-custom-roles) that meets your needs.\n3. To grant another role to the service account, run the command as you did in the previous step.\n4.\n Grant the required role to the principal that\n will attach the service account to other resources.\n\n ```bash\n gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com --member=\"user:\u003cvar translate=\"no\"\u003eUSER_EMAIL\u003c/var\u003e\" --role=roles/iam.serviceAccountUser\n ```\n\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_NAME\u003c/var\u003e: the name of the service account\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the project ID where you created the service account\n - \u003cvar translate=\"no\"\u003eUSER_EMAIL\u003c/var\u003e: the email address for a Google Account\n\nWhat's next\n-----------\n\n- Understand best practices for using [service accounts](/iam/docs/best-practices-service-accounts) and [service account keys](/iam/docs/best-practices-for-managing-service-account-keys).\n- Learn more about [how ADC finds credentials](/docs/authentication/application-default-credentials).\n- [Authenticate for using Cloud Client Libraries](/docs/authentication/client-libraries).\n- Explore [authentication methods](/docs/authentication)."]]
