This page describes the service accounts created and managed by Cloud Workstations. Cloud Workstations creates two service accounts:
Google owns these accounts, but they are specific to your project. They are deleted only when you delete your project. You might encounter service disruptions if you change the permissions granted to these service accounts.
Cloud Workstations Service Agent
The Cloud Workstations Service Agent uses the following email format:
service-PROJECT_NUMBER@gcp-sa-workstations.iam.gserviceaccount.com
This service agent allows Cloud Workstations to
perform service duties on your project. By default, this service agent is
automatically granted the Workstations Service Agent (roles/workstations.serviceAgent)
IAM role on your project.
Revoking or changing the permissions for this service agent prevents Cloud Workstations from accessing the compute and network resources that back your workstations. To avoid service disruptions, don't modify the service agent's permissions.
Cloud Workstations VM Default Service Account
Workstations are hosted on Compute Engine instances. When you create a workstation, you can specify a service account to attach to the underlying Compute Engine instance. If you don't specify a service account, the Cloud Workstations VM Default Service Account for your project is used.
The Cloud Workstations VM Default Service Account uses the following email format:
service-PROJECT_NUMBER@gcp-sa-workstationsvm.iam.gserviceaccount.com
Using the Cloud Workstations VM Default Service Account has the following limitations:
- Cloud Workstations container output logging is not supported.
- Impersonating a service account is not supported.
- You cannot use
sshto connect to the VM assigned to the workstations that use this configuration.
To avoid these limitations, you can specify a service account on your workstation configuration. For more information, see Customize the environment.