Service agents

Some Google Cloud services have Google-managed service accounts that allow the services to access your resources. These service accounts are known as service agents. If an API requires a service agent, then Google creates the service agent at some point after you activate and use the API. You might see evidence of these service agents in several different places, including a project's allow policy and audit log entries for various services. For more information about when Google creates service agents, see Service agent creation.

If you manage your allow policies with a declarative framework or a policies-as-code system, you might want to create and grant roles to a service agent before you use the service it belongs to. In these cases, after you identify the service agent you need to create, you can trigger service agent creation yourself without using the service.

This page provides details about the service agents for all services that are publicly available, including the following:

  • The domain name used in the service agent's email address.
  • The role that the service agent is granted on the project.

    When the service agent is created, Google grants this role automatically.

Google can introduce new service agents at any time, both for existing services and for new services. Both the creation time and the email address format for service agents are subject to change.

Service agent Role
Service agent for aiplatform.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-aiplatform-cc.iam.gserviceaccount.com

Vertex AI Custom Code Service Agent
(roles/aiplatform.customCodeServiceAgent)

Granted on the project.

Service agent for aiplatform.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-aiplatform-ft.iam.gserviceaccount.com

Vertex AI Service Agent
(roles/aiplatform.serviceAgent)

Granted on the project.

Service agent for aiplatform.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-aiplatform-is.iam.gserviceaccount.com

None
Service agent for aiplatform.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-aiplatform-re.iam.gserviceaccount.com

None
Service agent for aiplatform.googleapis.com.

service-PROJECT_NUMBER@gcp-ri-aiplatform.iam.gserviceaccount.com

None
Primary service agent for aiplatform.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-aiplatform.iam.gserviceaccount.com

Vertex AI Service Agent
(roles/aiplatform.serviceAgent)

Granted on the project.

Service agent for meshconfig.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-meshcontrolplane.iam.gserviceaccount.com

Mesh Managed Control Plane Service Agent
(roles/meshcontrolplane.serviceAgent)

Granted on the project.

Service agent for meshconfig.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-meshdataplane.iam.gserviceaccount.com

Mesh Data Plane Service Agent
(roles/meshdataplane.serviceAgent)

Granted on the project.

Service agent for accessapproval.googleapis.com.

For the project:

  • service-pPROJECT_NUMBER@gcp-sa-accessapproval.iam.gserviceaccount.com

For the folder:

  • service-fFOLDER_NUMBER@gcp-sa-accessapproval.iam.gserviceaccount.com

For the organization:

  • service-oORGANIZATION_NUMBER@gcp-sa-accessapproval.iam.gserviceaccount.com
None
Primary service agent for adsdatahub.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-adsdatahub.iam.gserviceaccount.com

None
Primary service agent for alloydb.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-alloydb.iam.gserviceaccount.com

AlloyDB Service Agent
(roles/alloydb.serviceAgent)

Granted on the project.

Primary service agent for anthosaudit.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-anthosaudit.iam.gserviceaccount.com

Anthos Audit Service Agent
(roles/anthosaudit.serviceAgent)

Granted on the project.

Primary service agent for anthosconfigmanagement.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com

Anthos Config Management Service Agent
(roles/anthosconfigmanagement.serviceAgent)

Granted on the project.

Primary service agent for anthosidentityservice.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-anthosidentityservice.iam.gserviceaccount.com

Anthos Identity Service Agent
(roles/anthosidentityservice.serviceAgent)

Granted on the project.

Service agent for gkemulticloud.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-gkemulticloudcontainer.iam.gserviceaccount.com

Anthos Multi-Cloud Container Service Agent
(roles/gkemulticloud.containerServiceAgent)

Granted on the project.

Service agent for gkemulticloud.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-gkemulticloudcpmachine.iam.gserviceaccount.com

Anthos Multi-Cloud Control Plane Machine Service Agent
(roles/gkemulticloud.controlPlaneMachineServiceAgent)

Granted on the project.

Service agent for gkemulticloud.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-gkemulticloudnpmachine.iam.gserviceaccount.com

Anthos Multi-Cloud Node Pool Machine Service Agent
(roles/gkemulticloud.nodePoolMachineServiceAgent)

Granted on the project.

Primary service agent for gkemulticloud.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-gkemulticloud.iam.gserviceaccount.com

Anthos Multi-Cloud Service Agent
(roles/gkemulticloud.serviceAgent)

Granted on the project.

Primary service agent for anthospolicycontroller.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-anthospolicycontroller.iam.gserviceaccount.com

Anthos Policy Controller Service Agent
(roles/anthospolicycontroller.serviceAgent)

Granted on the project.

Primary service agent for anthos.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-anthos.iam.gserviceaccount.com

Anthos Service Agent
(roles/anthos.serviceAgent)

Granted on the project.

Service agent for meshconfig.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-servicemesh.iam.gserviceaccount.com

Anthos Service Mesh Service Agent
(roles/anthosservicemesh.serviceAgent)

Granted on the project.

Primary service agent for connectgateway.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-anthossupport.iam.gserviceaccount.com

Anthos Support Service Agent
(roles/anthossupport.serviceAgent)

Granted on the project.

Primary service agent for apigeeregistry.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-apigeeregistry.iam.gserviceaccount.com

None
Primary service agent for apigee.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-apigee.iam.gserviceaccount.com

Apigee Service Agent
(roles/apigee.serviceAgent)

Granted on the project.

Primary service agent for appdevelopmentexperience.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-appdevexperience.iam.gserviceaccount.com

App Development Experience Service Agent
(roles/appdevelopmentexperience.serviceAgent)

Granted on the project.

Primary service agent for appengineflex.googleapis.com.

service-PROJECT_NUMBER@gae-api-prod.google.com.iam.gserviceaccount.com

App Engine flexible environment Service Agent
(roles/appengineflex.serviceAgent)

Granted on the project.

Primary service agent for appenginestandard.googleapis.com.

service-PROJECT_NUMBER@gcp-gae-service.iam.gserviceaccount.com

App Engine Standard Environment Service Agent
(roles/appengine.serviceAgent)

Granted on the project.

Primary service agent for apphub.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-apphub.iam.gserviceaccount.com

None
Primary service agent for integrations.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-integrations.iam.gserviceaccount.com

Application Integration Service Agent
(roles/integrations.serviceAgent)

Granted on the project.

Primary service agent for artifactregistry.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-artifactregistry.iam.gserviceaccount.com

Artifact Registry Service Agent
(roles/artifactregistry.serviceAgent)

Granted on the project.

Service agent for assuredworkloads.googleapis.com.

service-folder-FOLDER_NUMBER@gcp-sa-assuredworkloads.iam.gserviceaccount.com

None
Primary service agent for assuredworkloads.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-assuredworkloads.iam.gserviceaccount.com

Assured Workloads Service Agent
(roles/assuredworkloads.serviceAgent)

Granted on the project.

Service agent for securitycenter.googleapis.com.

service-org-ORGANIZATION_NUMBER@gcp-sa-asm-hpsa.iam.gserviceaccount.com

None
Service agent for auditmanager.googleapis.com.

For the project:

  • service-PROJECT_NUMBER@gcp-sa-audit-manager.iam.gserviceaccount.com

For the folder:

  • service-folder-FOLDER_NUMBER@gcp-sa-audit-manager.iam.gserviceaccount.com
None
Primary service agent for recommendationengine.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-recommendationengine.iam.gserviceaccount.com

Recommendations AI Service Agent
(roles/automlrecommendations.serviceAgent)

Granted on the project.

Primary service agent for automl.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-automl.iam.gserviceaccount.com

AutoML Service Agent
(roles/automl.serviceAgent)

Granted on the project.

Service agent for backupdr.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-backupdr-run.iam.gserviceaccount.com

None
Primary service agent for backupdr.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-backupdr.iam.gserviceaccount.com

Backup and DR Service Agent
(roles/backupdr.serviceAgent)

Granted on the project.

Primary service agent for gkebackup.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-gkebackup.iam.gserviceaccount.com

Backup for GKE Service Agent
(roles/gkebackup.serviceAgent)

Granted on the project.

Primary service agent for baremetalsolution.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-bms.iam.gserviceaccount.com

Bare Metal Solution Service Agent
(roles/baremetalsolution.serviceAgent)

Granted on the project.

Primary service agent for batch.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-cloudbatch.iam.gserviceaccount.com

Google Batch Service Agent
(roles/batch.serviceAgent)

Granted on the project.

Service agent for bigquery.googleapis.com.

bq-PROJECT_NUMBER@bigquery-encryption.iam.gserviceaccount.com

None
Service agent for bigqueryconnection.googleapis.com.
  • bqcx-PROJECT_NUMBER-IDENTIFIER@gcp-sa-bigquery-condel.iam.gserviceaccount.com
  • connection-PROJECT_NUMBER-IDENTIFIER@gcp-sa-bigquery-condel.iam.gserviceaccount.com
None
Primary service agent for bigqueryconnection.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-bigqueryconnection.iam.gserviceaccount.com

BigQuery Connection Service Agent
(roles/bigqueryconnection.serviceAgent)

Granted on the project.

Service agent for bigquery.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-bigquerytardis.iam.gserviceaccount.com

None
Primary service agent for bigquerydatatransfer.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-bigquerydatatransfer.iam.gserviceaccount.com

BigQuery Data Transfer Service Agent
(roles/bigquerydatatransfer.serviceAgent)

Granted on the project.

Service agent for bigquery.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-prod-bigqueryomni.iam.gserviceaccount.com

BigQuery Omni Service Agent
(roles/bigqueryomni.serviceAgent)

Granted on the project.

Service agent for bigquery.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-bigqueryri.iam.gserviceaccount.com

None
Service agent for bigqueryconnection.googleapis.com.

bqcx-PROJECT_NUMBER-IDENTIFIER@gcp-sa-bigquery-consp.iam.gserviceaccount.com

None
Service agent for bigquery.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-bigqueryspark.iam.gserviceaccount.com

BigQuery Spark Service Agent
(roles/bigqueryspark.serviceAgent)

Granted on the project.

Primary service agent for binaryauthorization.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-binaryauthorization.iam.gserviceaccount.com

Binary Authorization Service Agent
(roles/binaryauthorization.serviceAgent)

Granted on the project.

Service agent for integrations.googleapis.com.

bPROJECT_NUMBER-IDENTIFIER@gcp-sa-bundles.iam.gserviceaccount.com

None
Primary service agent for chronicle.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-chronicle.iam.gserviceaccount.com

Chronicle Service Agent
(roles/chronicle.serviceAgent)

Granted on the project.

Primary service agent for notebooks.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-notebooks.iam.gserviceaccount.com

AI Platform Notebooks Service Agent
(roles/notebooks.serviceAgent)

Granted on the project.

Service agent for apigateway.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-apigateway-mgmt.iam.gserviceaccount.com

Cloud API Gateway Management Service Agent
(roles/apigateway_management.serviceAgent)

Granted on the project.

Service agent for apigateway.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-apigateway.iam.gserviceaccount.com

Cloud API Gateway Service Agent
(roles/apigateway.serviceAgent)

Granted on the project.

Service agent for cloudasset.googleapis.com.

service-org-ORGANIZATION_NUMBER@gcp-sa-effectivepolicy.iam.gserviceaccount.com

None
Service agent for cloudasset.googleapis.com.

service-org-ORGANIZATION_NUMBER@gcp-sa-othercloudcfg.iam.gserviceaccount.com

None
Primary service agent for cloudasset.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-cloudasset.iam.gserviceaccount.com

Cloud Asset Service Agent
(roles/cloudasset.serviceAgent)

Granted on the project.

Primary service agent for bigtableadmin.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-bigtable.iam.gserviceaccount.com

None
Service agent for cloudbuild.googleapis.com.

PROJECT_NUMBER@cloudbuild.gserviceaccount.com

Cloud Build Service Account
(roles/cloudbuild.builds.builder)

Granted on the project.

Service agent for cloudbuild.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-cloudbuild.iam.gserviceaccount.com

Cloud Build Service Agent
(roles/cloudbuild.serviceAgent)

Granted on the project.

Primary service agent for certificatemanager.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-certificatemanager.iam.gserviceaccount.com

Certificate Manager Service Agent
(roles/certificatemanager.serviceAgent)

Granted on the project.

Primary service agent for composer.googleapis.com.

service-PROJECT_NUMBER@cloudcomposer-accounts.iam.gserviceaccount.com

Cloud Composer API Service Agent
(roles/composer.serviceAgent)

Granted on the project.

Primary service agent for dns.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-dns.iam.gserviceaccount.com

None
Primary service agent for datafusion.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-datafusion.iam.gserviceaccount.com

Cloud Data Fusion API Service Agent
(roles/datafusion.serviceAgent)

Granted on the project.

Primary service agent for dlp.googleapis.com.

service-PROJECT_NUMBER@dlp-api.iam.gserviceaccount.com

DLP API Service Agent
(roles/dlp.serviceAgent)

Granted on the project.

Primary service agent for datamigration.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-datamigration.iam.gserviceaccount.com

Database Migration Service Agent
(roles/datamigration.serviceAgent)

Granted on the project.

Primary service agent for dataflow.googleapis.com.

service-PROJECT_NUMBER@dataflow-service-producer-prod.iam.gserviceaccount.com

Cloud Dataflow Service Agent
(roles/dataflow.serviceAgent)

Granted on the project.

Primary service agent for dataplex.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-dataplex.iam.gserviceaccount.com

Cloud Dataplex Service Agent
(roles/dataplex.serviceAgent)

Granted on the project.

Primary service agent for datastream.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-datastream.iam.gserviceaccount.com

Datastream Service Agent
(roles/datastream.serviceAgent)

Granted on the project.

Primary service agent for clouddeploy.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-clouddeploy.iam.gserviceaccount.com

Cloud Deploy Service Agent
(roles/clouddeploy.serviceAgent)

Granted on the project.

Primary service agent for endpoints.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-endpoints.iam.gserviceaccount.com

Cloud Endpoints Service Agent
(roles/endpoints.serviceAgent)

Granted on the project.

Primary service agent for file.googleapis.com.

service-PROJECT_NUMBER@cloud-filer.iam.gserviceaccount.com

Cloud Filestore Service Agent
(roles/file.serviceAgent)

Granted on the project.

Primary service agent for firestore.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-firestore.iam.gserviceaccount.com

Firestore Service Agent
(roles/firestore.serviceAgent)

Granted on the project.

Primary service agent for healthcare.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-healthcare.iam.gserviceaccount.com

Healthcare Service Agent
(roles/healthcare.serviceAgent)

Granted on the project.

Primary service agent for identitytoolkit.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-identitytoolkit.iam.gserviceaccount.com

Identity Platform Service Agent
(roles/identitytoolkit.serviceAgent)

Granted on the project.

Service agent for cloudkms.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-cloudkms.iam.gserviceaccount.com

Cloud KMS Service Agent
(roles/cloudkms.serviceAgent)

Granted on the project.

Primary service agent for lifesciences.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-lifesciences.iam.gserviceaccount.com

Cloud Life Sciences Service Agent
(roles/lifesciences.serviceAgent)

Granted on the project.

Service agent for logging.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-logging.iam.gserviceaccount.com

Cloud Logging Service Agent
(roles/logging.serviceAgent)

Granted on the project.

Service agent for logging.googleapis.com.

For the folder:

  • service-folder-FOLDER_NUMBER@gcp-sa-logging.iam.gserviceaccount.com

For the organization:

  • service-org-ORGANIZATION_NUMBER@gcp-sa-logging.iam.gserviceaccount.com
None
Primary service agent for managedidentities.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-mi.iam.gserviceaccount.com

Cloud Managed Identities Service Agent
(roles/managedidentities.serviceAgent)

Granted on the project.

Primary service agent for memcache.googleapis.com.

service-PROJECT_NUMBER@cloud-memcache-sa.iam.gserviceaccount.com

Cloud Memorystore Memcached Service Agent
(roles/memcache.serviceAgent)

Granted on the project.

Primary service agent for redis.googleapis.com.

service-PROJECT_NUMBER@cloud-redis.iam.gserviceaccount.com

Cloud Memorystore Redis Service Agent
(roles/redis.serviceAgent)

Granted on the project.

Primary service agent for migrationcenter.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-migcenter.iam.gserviceaccount.com

Migration Center Service Agent
(roles/migrationcenter.serviceAgent)

Granted on the project.

Primary service agent for networkmanagement.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-networkmanagement.iam.gserviceaccount.com

GCP Network Management Service Agent
(roles/networkmanagement.serviceAgent)

Granted on the project.

Primary service agent for cloudoptimization.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-cloudoptim.iam.gserviceaccount.com

Cloud Optimization Service Agent
(roles/cloudoptimization.serviceAgent)

Granted on the project.

Primary service agent for pubsub.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-pubsub.iam.gserviceaccount.com

Cloud Pub/Sub Service Agent
(roles/pubsub.serviceAgent)

Granted on the project.

Service agent for dlp.googleapis.com.

organizations-ORGANIZATION_NUMBER@gcp-sa-riskmanager.iam.gserviceaccount.com

None
Primary service agent for sqladmin.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-cloud-sql.iam.gserviceaccount.com

Cloud SQL Service Agent
(roles/cloudsql.serviceAgent)

Granted on the project.

Service agent for sqladmin.googleapis.com.

For the project:

  • pPROJECT_NUMBER-IDENTIFIER@gcp-sa-cloud-sql.iam.gserviceaccount.com

For the folder:

  • fFOLDER_NUMBER-IDENTIFIER@gcp-sa-cloud-sql.iam.gserviceaccount.com

For the organization:

  • oORGANIZATION_NUMBER-IDENTIFIER@gcp-sa-cloud-sql.iam.gserviceaccount.com
None
Primary service agent for cloudscheduler.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-cloudscheduler.iam.gserviceaccount.com

Cloud Scheduler Service Agent
(roles/cloudscheduler.serviceAgent)

Granted on the project.

Service agent for securitycenter.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-scc-notification.iam.gserviceaccount.com

Security Center Notification Service Agent
(roles/securitycenter.notificationServiceAgent)

Granted on the project.

Service agent for securitycenter.googleapis.com.

service-org-ORGANIZATION_NUMBER@security-center-api.iam.gserviceaccount.com

None
Primary service agent for sourcerepo.googleapis.com.

service-PROJECT_NUMBER@sourcerepo-service-accounts.iam.gserviceaccount.com

Cloud Source Repositories Service Agent
(roles/sourcerepo.serviceAgent)

Granted on the project.

Primary service agent for spanner.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-spanner.iam.gserviceaccount.com

Cloud Spanner API Service Agent
(roles/spanner.serviceAgent)

Granted on the project.

Primary service agent for firebasestorage.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-firebasestorage.iam.gserviceaccount.com

Cloud Storage for Firebase Service Agent
(roles/firebasestorage.serviceAgent)

Granted on the project.

Primary service agent for cloudtasks.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-cloudtasks.iam.gserviceaccount.com

Cloud Tasks Service Agent
(roles/cloudtasks.serviceAgent)

Granted on the project.

Primary service agent for cloudtrace.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-cloud-trace.iam.gserviceaccount.com

None
Primary service agent for translate.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-translation.iam.gserviceaccount.com

Cloud Translation API Service Agent
(roles/cloudtranslate.serviceAgent)

Granted on the project.

Primary service agent for vmmigration.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-vmmigration.iam.gserviceaccount.com

VM Migration Service Agent
(roles/vmmigration.serviceAgent)

Granted on the project.

Primary service agent for websecurityscanner.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-websecurityscanner.iam.gserviceaccount.com

Cloud Web Security Scanner Service Agent
(roles/websecurityscanner.serviceAgent)

Granted on the project.

Primary service agent for workflows.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-workflows.iam.gserviceaccount.com

Cloud Workflows Service Agent
(roles/workflows.serviceAgent)

Granted on the project.

Service agent for compute.googleapis.com.

service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com

Compute Engine Service Agent
(roles/compute.serviceAgent)

Granted on the project.

Service agent for compute.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-compute-usage.iam.gserviceaccount.com

None
Primary service agent for connectors.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-connectors.iam.gserviceaccount.com

Connectors Platform Service Agent
(roles/connectors.serviceAgent)

Granted on the project.

Primary service agent for contactcenterinsights.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-contactcenterinsights.iam.gserviceaccount.com

Contact Center AI Insights Service Agent
(roles/contactcenterinsights.serviceAgent)

Granted on the project.

Service agent for contactcenterinsights.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-ccinsights-cmek.iam.gserviceaccount.com

None
Primary service agent for contactcenteraiplatform.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-ccaip.iam.gserviceaccount.com

None
Service agent for contactcenterinsights.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-ccai-cmek.iam.gserviceaccount.com

None
Primary service agent for containeranalysis.googleapis.com.

service-PROJECT_NUMBER@container-analysis.iam.gserviceaccount.com

Container Analysis Service Agent
(roles/containeranalysis.ServiceAgent)

Granted on the project.

Primary service agent for containerscanning.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-containerscanning.iam.gserviceaccount.com

Container Scanner Service Agent
(roles/containerscanning.ServiceAgent)

Granted on the project.

Primary service agent for containerthreatdetection.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-ktd-control.iam.gserviceaccount.com

Container Threat Detection Service Agent
(roles/containerthreatdetection.serviceAgent)

Granted on the project.

Service agent for containerthreatdetection.googleapis.com.

For the project:

  • service-PROJECT_NUMBER@gcp-sa-ktd-hpsa.iam.gserviceaccount.com

For the organization:

  • service-org-ORGANIZATION_NUMBER@gcp-sa-ktd-hpsa.iam.gserviceaccount.com
None
Primary service agent for contentwarehouse.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-cloud-cw.iam.gserviceaccount.com

Content Warehouse Service Agent
(roles/contentwarehouse.serviceAgent)

Granted on the project.

Primary service agent for dataconnectors.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-dataconnectors.iam.gserviceaccount.com

Data Connectors Service Agent
(roles/dataconnectors.serviceAgent)

Granted on the project.

Primary service agent for datalabeling.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-datalabeling.iam.gserviceaccount.com

Data Labeling Service Agent
(roles/datalabeling.serviceAgent)

Granted on the project.

Primary service agent for datapipelines.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-datapipelines.iam.gserviceaccount.com

Datapipelines Service Agent
(roles/datapipelines.serviceAgent)

Granted on the project.

Primary service agent for datastudio.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-datastudio.iam.gserviceaccount.com

Data Studio Service Agent
(roles/datastudio.serviceAgent)

Granted on the project.

Primary service agent for dataform.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-dataform.iam.gserviceaccount.com

Dataform Service Agent
(roles/dataform.serviceAgent)

Granted on the project.

Primary service agent for metastore.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-metastore.iam.gserviceaccount.com

Dataproc Metastore Service Agent
(roles/metastore.serviceAgent)

Granted on the project.

Service agent for monitoring.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-monitoring.iam.gserviceaccount.com

None
Service agent for dialogflow.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-dialogflow-cmek.iam.gserviceaccount.com

None
Primary service agent for dialogflow.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-dialogflow.iam.gserviceaccount.com

Dialogflow Service Agent
(roles/dialogflow.serviceAgent)

Granted on the project.

Primary service agent for discoveryengine.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-discoveryengine.iam.gserviceaccount.com

Discovery Engine Service Agent
(roles/discoveryengine.serviceAgent)

Granted on the project.

Service agent for contentwarehouse.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-cloud-cw-cmek.iam.gserviceaccount.com

None
Primary service agent for documentai.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-prod-dai-core.iam.gserviceaccount.com

DocumentAI Core Service Agent
(roles/documentaicore.serviceAgent)

Granted on the project.

Service agent for edgecontainer.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-edgecontainercluster.iam.gserviceaccount.com

Edge Container Cluster Service Agent
(roles/edgecontainer.clusterServiceAgent)

Granted on the project.

Service agent for edgecontainer.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-edgecontainergcr.iam.gserviceaccount.com

None
Primary service agent for edgecontainer.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-edgecontainer.iam.gserviceaccount.com

Edge Container Service Agent
(roles/edgecontainer.serviceAgent)

Granted on the project.

Primary service agent for enterpriseknowledgegraph.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-cloud-ekg.iam.gserviceaccount.com

Enterprise Knowledge Graph Service Agent
(roles/enterpriseknowledgegraph.serviceAgent)

Granted on the project.

Primary service agent for eventarc.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-eventarc.iam.gserviceaccount.com

Eventarc Service Agent
(roles/eventarc.serviceAgent)

Granted on the project.

Primary service agent for cloudkms.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-ekms.iam.gserviceaccount.com

None
Primary service agent for firebaseappcheck.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-firebaseappcheck.iam.gserviceaccount.com

Firebase App Check Service Agent
(roles/firebaseappcheck.serviceAgent)

Granted on the project.

Primary service agent for firebaseextensions.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-firebasemods.iam.gserviceaccount.com

Firebase Extensions API Service Agent
(roles/firebasemods.serviceAgent)

Granted on the project.

Primary service agent for firebaseml.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-firebaseml.iam.gserviceaccount.com

None
Service agent for firebase.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-firebase.iam.gserviceaccount.com

Firebase Service Management Service Agent
(roles/firebase.managementServiceAgent)

Granted on the project.

Primary service agent for firebasedatabase.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-firebasedatabase.iam.gserviceaccount.com

Firebase Realtime Database Service Agent
(roles/firebasedatabase.serviceAgent)

Granted on the project.

Primary service agent for firebaserules.googleapis.com.

service-PROJECT_NUMBER@firebase-rules.iam.gserviceaccount.com

Firebase Rules System
(roles/firebaserules.system)

Granted on the project.

Primary service agent for firewallinsights.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-firewallinsights.iam.gserviceaccount.com

Cloud Firewall Insights Service Agent
(roles/firewallinsights.serviceAgent)

Granted on the project.

Primary service agent for gsuiteaddons.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-gsuiteaddons.iam.gserviceaccount.com

None
Primary service agent for gkedataplanev2.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-gkedataplanev2.iam.gserviceaccount.com

None
Primary service agent for gkehub.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-gkehub.iam.gserviceaccount.com

GKE Hub Service Agent
(roles/gkehub.serviceAgent)

Granted on the project.

Primary service agent for gkeonprem.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-gkeonprem.iam.gserviceaccount.com

GKE On-Prem Service Agent
(roles/gkeonprem.serviceAgent)

Granted on the project.

Primary service agent for dataproc.googleapis.com.

service-PROJECT_NUMBER@dataproc-accounts.iam.gserviceaccount.com

Dataproc Service Agent
(roles/dataproc.serviceAgent)

Granted on the project.

Primary service agent for cloudfunctions.googleapis.com.

service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com

Cloud Functions Service Agent
(roles/cloudfunctions.serviceAgent)

Granted on the project.

Primary service agent for ml.googleapis.com.

service-PROJECT_NUMBER@cloud-ml.google.com.iam.gserviceaccount.com

AI Platform Service Agent
(roles/ml.serviceAgent)

Granted on the project.

Primary service agent for netapp.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-netapp.iam.gserviceaccount.com

None
Service agent for osconfig.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-osconfig-rollout.iam.gserviceaccount.com

None
Primary service agent for osconfig.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-osconfig.iam.gserviceaccount.com

Cloud OS Config Service Agent
(roles/osconfig.serviceAgent)

Granted on the project.

Primary service agent for parallelstore.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-parallelstore.iam.gserviceaccount.com

Parallelstore Service Agent
(roles/parallelstore.serviceAgent)

Granted on the project.

Primary service agent for run.googleapis.com.

service-PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com

Cloud Run Service Agent
(roles/run.serviceAgent)

Granted on the project.

Primary service agent for containerregistry.googleapis.com.

service-PROJECT_NUMBER@containerregistry.iam.gserviceaccount.com

Container Registry Service Agent
(roles/containerregistry.ServiceAgent)

Granted on the project.

Service agent for storage.googleapis.com.

service-PROJECT_NUMBER@gs-project-accounts.iam.gserviceaccount.com

None
Primary service agent for iap.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-iap.iam.gserviceaccount.com

None
Primary service agent for config.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-config.iam.gserviceaccount.com

Infrastructure Manager Service Agent
(roles/cloudconfig.serviceAgent)

Granted on the project.

Service agent for securitycenter.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-ivs.iam.gserviceaccount.com

None
Service agent for chronicle.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-chronicle-spanner.iam.gserviceaccount.com

None
Service agent for firestore.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-fs-spanner.iam.gserviceaccount.com

None
Primary service agent for issuerswitch.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-issuerswitch.iam.gserviceaccount.com

None
Service agent for krmapihosting.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-krmapihosting.iam.gserviceaccount.com

KRM API Hosting Service Agent
(roles/krmapihosting.serviceAgent)

Granted on the project.

Service agent for krmapihosting.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-krmapihosting-dataplane.iam.gserviceaccount.com

KRM API Hosting AnthosApiEndpoint Service Agent
(roles/krmapihosting.anthosApiEndpointServiceAgent)

Granted on the project.

Service agent for container.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-gkenode.iam.gserviceaccount.com

Kubernetes Engine Node Service Agent
(roles/container.nodeServiceAgent)

Granted on the project.

Primary service agent for container.googleapis.com.

service-PROJECT_NUMBER@container-engine-robot.iam.gserviceaccount.com

Kubernetes Engine Service Agent
(roles/container.serviceAgent)

Granted on the project.

Primary service agent for livestream.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-livestream.iam.gserviceaccount.com

Live Stream Service Agent
(roles/livestream.serviceAgent)

Granted on the project.

Service agent for logging.googleapis.com.

For the project:

  • pPROJECT_NUMBER-IDENTIFIER@gcp-sa-logging.iam.gserviceaccount.com

For the folder:

  • fFOLDER_NUMBER-IDENTIFIER@gcp-sa-logging.iam.gserviceaccount.com

For the organization:

  • oORGANIZATION_NUMBER-IDENTIFIER@gcp-sa-logging.iam.gserviceaccount.com
None
Primary service agent for looker.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-looker.iam.gserviceaccount.com

Looker Service Agent
(roles/looker.serviceAgent)

Granted on the project.

Primary service agent for meshconfig.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-meshconfig.iam.gserviceaccount.com

Mesh Config Service Agent
(roles/meshconfig.serviceAgent)

Granted on the project.

Primary service agent for monitoring.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-monitoring-notification.iam.gserviceaccount.com

Monitoring Service Agent
(roles/monitoring.notificationServiceAgent)

Granted on the project.

Primary service agent for multiclusteringress.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-multiclusteringress.iam.gserviceaccount.com

Multi Cluster Ingress Service Agent
(roles/multiclusteringress.serviceAgent)

Granted on the project.

Primary service agent for multiclustermetering.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-mcmetering.iam.gserviceaccount.com

Multi-cluster metering Service Agent
(roles/multiclustermetering.serviceAgent)

Granted on the project.

Primary service agent for multiclusterservicediscovery.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-mcsd.iam.gserviceaccount.com

Multi-Cluster Service Discovery Service Agent
(roles/multiclusterservicediscovery.serviceAgent)

Granted on the project.

Service agent for networkservices.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-networkactions.iam.gserviceaccount.com

Network Actions Service Agent
(roles/networkactions.serviceAgent)

Granted on the project.

Primary service agent for networkconnectivity.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-networkconnectivity.iam.gserviceaccount.com

Network Connectivity Service Agent
(roles/networkconnectivity.serviceAgent)

Granted on the project.

Primary service agent for networksecurity.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-networksecurity.iam.gserviceaccount.com

None
Primary service agent for ondemandscanning.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-ondemandscanning.iam.gserviceaccount.com

On-Demand Scanning Service Agent
(roles/ondemandscanning.serviceAgent)

Granted on the project.

Service agent for integrations.googleapis.com.

For the project:

  • pPROJECT_NUMBER-IDENTIFIER@gcp-sa-playbooks.iam.gserviceaccount.com

For the folder:

  • fFOLDER_NUMBER-IDENTIFIER@gcp-sa-playbooks.iam.gserviceaccount.com

For the organization:

  • oORGANIZATION_NUMBER-IDENTIFIER@gcp-sa-playbooks.iam.gserviceaccount.com
None
Service agent for policyremediator.googleapis.com.

service-org-ORGANIZATION_NUMBER@gcp-sa-v1-remediator.iam.gserviceaccount.com

None
Primary service agent for privateca.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com

None
Primary service agent for pubsublite.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-pubsublite.iam.gserviceaccount.com

Pub/Sub Lite Service Agent
(roles/pubsublite.serviceAgent)

Granted on the project.

Primary service agent for rapidmigrationassessment.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-rma.iam.gserviceaccount.com

RMA Service Agent
(roles/rapidmigrationassessment.serviceAgent)

Granted on the project.

Primary service agent for remotebuildexecution.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-rbe.iam.gserviceaccount.com

None
Service agent for remotebuildexecution.googleapis.com.

service-PROJECT_NUMBER@remotebuildexecution.iam.gserviceaccount.com

Remote Build Execution Service Agent
(roles/remotebuildexecution.serviceAgent)

Granted on the project.

Service agent for remotebuildexecution.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-remotebuild.iam.gserviceaccount.com

Remote Build Execution Service Agent
(roles/remotebuildexecution.serviceAgent)

Granted on the project.

Primary service agent for retail.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-retail.iam.gserviceaccount.com

Retail Service Agent
(roles/retail.serviceAgent)

Granted on the project.

Primary service agent for secretmanager.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-secretmanager.iam.gserviceaccount.com

None
Service agent for networkservices.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-securewebproxy.iam.gserviceaccount.com

None
Primary service agent for securedlandingzone.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-slz.iam.gserviceaccount.com

Secured Landing Zone Service Agent
(roles/securedlandingzone.serviceAgent)

Granted on the project.

Primary service agent for runapps.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-runapps.iam.gserviceaccount.com

Serverless Integrations Service Agent
(roles/runapps.serviceAgent)

Granted on the project.

Primary service agent for vpcaccess.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-vpcaccess.iam.gserviceaccount.com

Serverless VPC Access Service Agent
(roles/vpcaccess.serviceAgent)

Granted on the project.

Primary service agent for serviceconsumermanagement.googleapis.com.

service-PROJECT_NUMBER@service-consumer-management.iam.gserviceaccount.com

None
Primary service agent for servicedirectory.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-servicedirectory.iam.gserviceaccount.com

Service Directory Service Agent
(roles/servicedirectory.serviceAgent)

Granted on the project.

Primary service agent for servicenetworking.googleapis.com.

service-PROJECT_NUMBER@service-networking.iam.gserviceaccount.com

Service Networking Service Agent
(roles/servicenetworking.serviceAgent)

Granted on the project.

Primary service agent for sasportal.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-spectrumsas.iam.gserviceaccount.com

None
Primary service agent for speech.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-speech.iam.gserviceaccount.com

Cloud Speech-to-Text Service Agent
(roles/speech.serviceAgent)

Granted on the project.

Primary service agent for storageinsights.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-storageinsights.iam.gserviceaccount.com

StorageInsights Service Agent
(roles/storageinsights.serviceAgent)

Granted on the project.

Service agent for storagetransfer.googleapis.com.

project-PROJECT_NUMBER@storage-transfer-service.iam.gserviceaccount.com

None
Primary service agent for stream.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-stream.iam.gserviceaccount.com

Stream Service Agent
(roles/stream.serviceAgent)

Granted on the project.

Primary service agent for tpu.googleapis.com.

service-PROJECT_NUMBER@cloud-tpu.iam.gserviceaccount.com

Cloud TPU API Service Agent
(roles/tpu.serviceAgent)

Granted on the project.

Service agent for tpu.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-tpu.iam.gserviceaccount.com

Cloud TPU V2 API Service Agent
(roles/cloudtpu.serviceAgent)

Granted on the project.

Primary service agent for transcoder.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-transcoder.iam.gserviceaccount.com

Transcoder Service Agent
(roles/transcoder.serviceAgent)

Granted on the project.

Primary service agent for transferappliance.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-transferappliance.iam.gserviceaccount.com

None
Primary service agent for vmwareengine.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-vmwareengine.iam.gserviceaccount.com

VMware Engine Service Agent
(roles/vmwareengine.serviceAgent)

Granted on the project.

Service agent for aiplatform.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-vertex-nb.iam.gserviceaccount.com

None
Service agent for aiplatform.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-aiplatform-vm.iam.gserviceaccount.com

Vertex AI Notebook Service Agent
(roles/aiplatform.notebookServiceAgent)

Granted on the project.

Service agent for aiplatform.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-vertex-tune.iam.gserviceaccount.com

None
Service agent for securitycenter.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-scc-vmtd.iam.gserviceaccount.com

None
Primary service agent for visionai.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-visionai.iam.gserviceaccount.com

Cloud Vision AI Service Agent
(roles/visionai.serviceAgent)

Granted on the project.

Primary service agent for workloadmanager.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-workloadmanager.iam.gserviceaccount.com

Workload Manager Service Agent
(roles/workloadmanager.serviceAgent)

Granted on the project.

Primary service agent for workstations.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-workstations.iam.gserviceaccount.com

Workstations Service Agent
(roles/workstations.serviceAgent)

Granted on the project.

Service agent for workstations.googleapis.com.

service-PROJECT_NUMBER@gcp-sa-workstationsvm.iam.gserviceaccount.com

None