Basics of Service Accounts and Roles


A unique type of Google account called a “service account” gives authorization to virtual machines rather than to specific users. The main purpose of service accounts is to provide controlled and secure connections to APIs and GCP services. Any of his GCP projects must have a security feature that grants access to trusted connections while blocking malicious ones. You will gain practical experience while learning the specifics of service accounts in this lab.

Exercise types

  • You will learn how to: in this lab.
  • Create and manage service accounts.
  • Make a virtual computer, then link a service account to it.
  • Using a client library, access Big Query from a service account.
  • From your GCE instance, run queries against Big Query’s public datasets.



This lab is on the entry level. However, we anticipate that students will have little to no prior understanding of service accounts. Experience with Cloud IAM is desired. For more challenging hands-on practice on this subject, look at the labs below.

  • Network peering for VPC
  • Establishing a personal Kubernetes cluster
  • Creating a VPN with a high throughput

Scroll down to set up your lab setup when you’re ready.


Earlier than pressing the Start Lab button.

Please read the following instructions. Time in the lab is recorded and cannot be stopped. When you click Start Lab, a timer that counts down from that point shows when Google Cloud services are accessible.

Instead of using a simulation or demo environment, this Qwiklabs hands-on lab enables you to carry out the lab tasks on your own using a genuine cloud environment. As a result, you will be given fresh temporary login information to use while completing the lab.

Required items

You’ll need the following to finish this lab:

  • Conventional Internet browser (Chrome is recommended)
  • sufficient time to finish the lab

Please refrain from using your personal Google Cloud projects or accounts in the lab, even if you already have them.

Note: To perform this experiment on a Chrome OS device, enter an incognito window.

How to launch a lab and access the Google Cloud dashboard

  1. Select “Start Lab” from the menu. Please choose your payment option in the pop-up that appears if you need to pay for the lab. According to the Lab Details tab on the left,
  • Clicking the Open Google Console button
  • Expires soon
  • You will need to utilize temporary credentials for this lab.
  • Any other details need to finish this lab (if any)
  1. Click Google Console to open it. The resource will start up in the lab and open a new tab with the login page.

To keep them side by side, open each tab in a separate window.

  1. Alternatively, copy the Username from the Lab Details window and paste it into the Login dialogue. Activate Next.
  2. From the Lab Details panel, copy the password, and then paste it in the Welcome dialogue. Select Next.
  3. Then carry out the following:
  • Please accept the terms of usage.
  • Do not configure recovery settings or two-factor authentication for this temporary account.
  • Do not register for a trial period.

This tab will then open with the Cloud Console.

Google Cloud Shell activation

A virtual machine stocked with developer tools is called Google Cloud Shell. It utilises Google Cloud and has a 5 GB permanent home directory. Access to GCP resources via the command line is provided by Google Cloud Shell.

In the GCP Console’s upper right toolbar, select the Activate Cloud Shell button.

It will take some time to provision and link the environment. The project is set to PROJECT ID when I join, and I am already authenticated. For illustration:

The Google Cloud Platform’s command-line tool is called gcloud. This pre-installed application supports tab completion and is included with Cloud Shell.

With the following command, you can list valid account names:

A service account is what?

A service account is a unique Google account that is associated with an application or virtual machine (VM) as opposed to a specific end user. To use the service’s Google APIs, your application uses the service account. No user participation is necessary.

You can provide a service account access to the required resources, for instance, if that account manages your Compute Engine virtual machines. Thus, the service account becomes its identity, and the resources it can access are determined by the service account’s permissions.

An account-specific email address serves as a service account’s unique identifier.

Type of service account

service accounts handled by users.

If the Compute Engine API is enabled for your project, a Compute Engine service account is immediately generated by default when you start a new Cloud project using the GCP Console. You can tell this by looking at your email address.

A default App Engine service account is generated in your project by default if it has an App Engine application. You can tell this by looking at your email address.

Managed Service Account by Google

You could notice more service accounts in your project’s IAM policies and in the GCP Console in addition to user-managed service accounts. These service accounts, which represent different Google services, were developed and are owned by Google. Each account is given an IAM role to access his GCP project automatically.

Account for the Google API

A Google API service account, which may be recognised by an email address, is an illustration of a Google-managed service account.

This service account is not included in the Service Accounts section of the GCP Console and is made to automatically conduct internal Google processes. This account will show up in the IAM area of the GCP Console by default and receive the Editor role for that project.

Only when the project is deleted is this service account also deactivated. Don’t remove or modify the role of a service account on a project because Google services depend on accounts with access to projects.

Making and maintaining service accounts

For each new Cloud project you begin, Google Cloud Platform automatically creates a Compute Engine service account and an App Engine service account. Your project enables you to set up as many as 98 service accounts to control resource access.

Register for a service account.

Similar to adding people to a project, creating a service account belongs to an application rather than a specific end user.

Run the following command in Cloud Shell to create the service account:

The service account is displayed in the command’s output. For instance:

Give service accounts roles.

When assigning IAM roles, you can treat service accounts as resources or identities.

Applications use service accounts as identities to access Google Cloud Platform services through authentication. You can give the project (resource) service account the editor role, for instance, if you run your Compute Engine virtual machine (VM) as a service account (identity).

You can also decide who can start the VM. Giving the user (identity) the serviceAccountUser role on the service account (resource) achieves this goal.

Give a service account access to a role on a resource.

A service account is given the ability to carry out specific activities on resources in your Cloud Platform project when a role is assigned to it. For instance, the storage.admina service account with the role can handle the objects and buckets in Google Cloud Storage.

Run the following command in Cloud Shell to assign a role to the service account you created:

The roles that are currently assigned to the service account are listed in the output.

To make sure you’re on track with your objectives, click Check Progress.

knowing the role

An identity in Google Cloud Identity and Access Management must have the necessary rights to use resources before calling Google Cloud Platform APIs. Roles are given to users, groups, or service accounts in order to grant permissions.

Type of Roles

In Cloud IAM, three different roles are available:

  • Primitive Roles: These include the Owner, Editor, and Viewer roles that were in place before Cloud IAM was introduced.
  • Predefined roles: grant granular access to particular services (managed by GCP).
  • Custom Roles: These roles offer granular access based on a user-defined set of privileges.

See IAM Roles for further details.

Using client libraries, access BigQuery from a service account.

Using a service account with the necessary roles, you will query a public dataset in BigQuery from your instance in this step.

Establish a service account.

In the GCP Console, first create a new service account.

Select Service Accounts from the Navigation Menu > IAM & Admin menu, then click + Create Service Account.

Enter the necessary data below.

  • Name of the service account: bigquery-qwiklab

To add the following roles, click Create and Continue after that:

  • BigQuery Data Viewer and BigQuery User are two roles.

The computer displays:

Click Finish after selecting Continue.

Make a virtual machine.

Choose Compute Engine > VM Instances > Create Instance from the Google Cloud Console.

Create a virtual machine using the following details:

Select Create.

Install the test code on your GCE instance.

Go to Compute Engine > VM Instances in the Google Cloud Console. Click the [SSH] button on big query-instance to establish an SSH connection.

By executing the following command, the package list will be downloaded and updated:

To install packages to a location separate from your system, use a Python virtual environment.

Get your virtual environment going.

Run the instructions listed below to install the necessary dependencies in an SSH window.

Make a sample Python file next. Use the following command to add your project ID to the:

seed Run the following command to confirm that the command successfully altered the project ID in the file:

Example output (fictitious)

Use the following command to add the service account email address to

Run the following command to ensure that the seed script updated the service account email in the file as intended:

Example output (fictitious)

The permissions linked to this service account are now available for use by your application. Then use the Python command below to execute the query.

The output should resemble what follows:

You’re done now. big query-qwiklabA service account was used to make a request to a Big Query public dataset.

To make sure you’re on track with your objectives, click Check Progress.

Jack Harry
Jack Harry
Articles: 19

Leave a Reply

Your email address will not be published. Required fields are marked *