GCP Service Account - ghdrako/doc_snipets GitHub Wiki

Service Account

service account

An indentity that an instance or an application can use to run API requests on your behalf. on your behalf - w Twoim imieniu

Default Compute Engine service account

  • Automatically created per project with auto-generated name and email adress [email protected]
  • Automaticly added as a project Editor
  • By default enabled on all instances created using gcloud or GCP Console

Service accout authenticate with keys

Types service accounts:

  • GCP managed : Cannot be downloaded and are automatically rotated Managed by Google for many Google Cloud services to run internal Google processes on your behalf Ex. Google APIs Service Agent (<project_number>@cloudservices.gserviceaccount.com IAM Role: Editor) - use wheen you enable APIs or service that need it
  • User-managed: Create, manage, and rotate yourself serviceAccout.key.create() serviceAccout.key.delete()
    • User service accouts include default service accounts. There are user service accouts create when you use some Google Cloud Service to help you get started. Ex App Engine Default Service Account <PROJECT_ID>@appspot.gserviceaccount.com, Compute Engine Service Account <PROJECT_NUMBER>[email protected] Default service account are generally granted the editor role on your project. In production it may be too match so it's recomended to create your own user service accounts to apply more restrictive role to them.
  • Default service account
gcloud iam service-accounts list # List user-managed service accounts
gcloud projects get-iam-policy PROJECT # See all service accout included  Google-managed onces with project role binding
gcloud iam service-accounts create <NAME>  # create user managed service account in current project  with no rule assigment 
gcloud iam service-accounts create <NAME> \
--display-name 'DISPLAY_NAME' \
--description 'DESCRIPTION'
gcloud iam service-accounts describe <SEVICE_ACCOUNT> # show info abaut sa including description and display name
gcloud iam service-accounts update <NAME> \
--display-name 'DISPLAY_NAME' \
--description 'DESCRIPTION'
gcloud iam service-accounts get-iam-policy  <SEVICE_ACCOUNT>
gcloud iam service-accounts disable <SEVICE_ACCOUNT>
gcloud iam service-accounts enable <SEVICE_ACCOUNT>
gcloud iam service-accounts delete <SEVICE_ACCOUNT>

Roles to manage service accouts:

  • Create Service Accout roles/iam.serviceAccountCreator
  • Delete Service Account roles/iam.serviceAccountDeleter
  • Service Account User roles/iam.serviceAccoutUser - run operation as service account , attach service accouts to certain resources
  • Service Account Admin roles/iam.serviceAccountAdmin - very pawerfull
  • Service Account Key Admin roles/iam.serviceAccountKeyAdmin - create/upload/delete service account key - but to use generated key to activate sa you don't have any role
  • Service Account Token Creator roles/iam.serviceAccountTokenCreator - create OAuth2 tokens,inpersonate service acounts,sign blobs, generate self-signed JWT

Managing Service Accout Keys

  • rotating keys

Rotate key Best practice: Rotate sa key frequently - replace old key by new one 1 Generetae new 2 Replace old with new 3 Delete old key

gcloud iam service-accounts keys upload PUB_KEY_FILE --iam-account=SERVICE_ACCOUNT # upload public key to sa - user your own generate key
gcloud iam service-accounts keys create OUTPUT_FILE --iam-account=SERVICE_ACCOUNT # google generate key pair and seve private key in fileprivate key. it's ony time when privet key is provided to you. It's work if you have Service Account Key Admin roles

# if you want use key to acces google cloud Rest API generat key i below way:
curl --request POST --header 'Authorization: Bearer $(glod auth print-access-token)"
'https://iam.googleapis.com/v1/projects/-/serviceAccounts/SERVICE_ACCOUT_EMAIL/keys' # generate key via API
gcloud iam service-accounts keys list --iam-account=SERVICE_ACCOUNT # list currently exist with KEY_ID - need to delete key
gcloud iam service-accounts keys delete KEY_ID --iam-account=SERVICE_ACCOUNT # delete key with KEY_ID

Activate service account - to use service account when we have key

gcloud auth activate-service-account <service-accout-name> --key-file=key.json
gcloud auth list

gcloud auth revoke [email protected]
gcloud auth revoke --all
gcloud config set account [email protected]

Inpersonate service accout - use service account when we don't have key

  • Service Accout Token Creator role

The flag --impersonate-service-account work on all gcloud command and is the most strightforward example how to use Token Creator Role. This role allow to create short-live credentials and generate service-account access token to send request to Google Cloud Rest API as a service account.

gcloud <group> <command> --impersonate-service-account <sa name> 
gcloud sql instance delete <sql-instance-name> --impersonate-service-account <sa name> # need Service Account Token Creator Role

Short-lived service account credentials

  • user with role Service Accoutn token creatorgcloud GROUP create OAuth2 token ...
gcloud GROUP COMMAND --impersonate-service-account SERVICE_ACCOUNT # no key required

if a principal has the Service Account User role on a service account, and the service account has the Cloud SQL Admin role ( roles/cloudsql. admin ) on the project, then the principal can impersonate the service account to create a Cloud SQL instance. Service Account User role allows that person to use a service account. You could perform this activity for a specific user, group, or domain.

Service Accout Structure

  • Email
  • Key - authenticated by public/private key per, no password
  • Accessible by
    • user accout
    • application
    • compute instance
  • IAM Roles:
    • Cloud SQL Viewer
    • BigQuery Data Editor

Example

User

  • Project IAM Policy

    • Project Viewer
    • Compute Admin - create and manage compute instances
  • Service account IAM policy (for sa bucket admin)

    • Service Account user Service accout bucket admin:
  • Project IAM Policy

    • Service Account User
⚠️ **GitHub.com Fallback** ⚠️