[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-08-25。"],[[["\u003cp\u003eUser-managed service accounts can be attached to certain Google Cloud resources, such as Compute Engine, App Engine, and Cloud Run, allowing application code to use that service account's identity.\u003c/p\u003e\n"],["\u003cp\u003eAttaching a user-managed service account is the recommended method for providing credentials to Application Default Credentials (ADC) for production code, rather than using the default service account, which often has overly broad privileges.\u003c/p\u003e\n"],["\u003cp\u003eTo set up authentication, a user-managed service account needs to be created using the \u003ccode\u003egcloud iam service-accounts create\u003c/code\u003e command.\u003c/p\u003e\n"],["\u003cp\u003eRoles must be granted to the service account to manage access to resources, using the \u003ccode\u003egcloud projects add-iam-policy-binding\u003c/code\u003e command, ensuring the use of specific predefined or custom roles rather than overly broad roles like Owner, Editor, or Viewer.\u003c/p\u003e\n"],["\u003cp\u003eThe principal attaching the service account to other resources needs the \u003ccode\u003eroles/iam.serviceAccountUser\u003c/code\u003e role, which is provided using the \u003ccode\u003egcloud iam service-accounts add-iam-policy-binding\u003c/code\u003e command.\u003c/p\u003e\n"]]],[],null,["# Set up ADC for a resource with an attached service account\n\nSome Google Cloud services---such as Compute Engine, App Engine, and\nCloud Run functions---support attaching a\n[user-managed service account](/iam/docs/service-account-types#user-created) to some types of resources.\nGenerally, attaching a service account is supported when that service's\nresources can run or include application code. When you attach a service account\nto a resource, the code running on the resource can use that service account as\nits identity.\n\nAttaching a user-managed service account is the preferred way to provide\ncredentials to ADC for production code running on Google Cloud.\n| **Note:** Many of these Google Cloud services also provide a default service account. Using the default service account is not recommended, because by default the default service account is highly privileged, which violates the [principle of least privilege](/iam/docs/using-iam-securely#least_privilege).\n\nFor help determining the roles that you need to provide to\nyour service account, see [Choose predefined roles](/iam/docs/choose-predefined-roles).\n\nFor information about which resources you can attach a service account to, and\nhelp with attaching the service account to the resource, see the\n[IAM documentation on attaching a service account](/iam/docs/attach-service-accounts#attaching-new-resource).\n\nSet up authentication:\n\n1.\n Create the service account:\n\n ```bash\n gcloud iam service-accounts create SERVICE_ACCOUNT_NAME\n ```\n\n\n Replace \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_NAME\u003c/var\u003e with a name for the service account.\n2.\n To provide access to your project and your resources, grant a role to the service account:\n\n ```bash\n gcloud projects add-iam-policy-binding PROJECT_ID --member=\"serviceAccount:\u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_NAME\u003c/var\u003e@\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e.iam.gserviceaccount.com\" --role=ROLE\n ```\n\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_NAME\u003c/var\u003e: the name of the service account\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the project ID where you created the service account\n - \u003cvar translate=\"no\"\u003eROLE\u003c/var\u003e: the role to grant\n\n | **Note** : The `--role` flag affects which resources the service account can access in your project. You can revoke these roles or grant additional roles later. In production environments, do not grant the Owner, Editor, or Viewer roles. Instead, grant a [predefined role](/iam/docs/understanding-roles#predefined_roles) or [custom role](/iam/docs/understanding-custom-roles) that meets your needs.\n3. To grant another role to the service account, run the command as you did in the previous step.\n4.\n Grant the required role to the principal that\n will attach the service account to other resources.\n\n ```bash\n gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com --member=\"user:\u003cvar translate=\"no\"\u003eUSER_EMAIL\u003c/var\u003e\" --role=roles/iam.serviceAccountUser\n ```\n\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_NAME\u003c/var\u003e: the name of the service account\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the project ID where you created the service account\n - \u003cvar translate=\"no\"\u003eUSER_EMAIL\u003c/var\u003e: the email address for a Google Account\n\nWhat's next\n-----------\n\n- Understand best practices for using [service accounts](/iam/docs/best-practices-service-accounts) and [service account keys](/iam/docs/best-practices-for-managing-service-account-keys).\n- Learn more about [how ADC finds credentials](/docs/authentication/application-default-credentials).\n- [Authenticate for using Cloud Client Libraries](/docs/authentication/client-libraries).\n- Explore [authentication methods](/docs/authentication)."]]
