Service account - vidyasekaran/GCP GitHub Wiki
A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs. Authenticating and authorise a service to access gcp resources such as data store. Service accounts are used in server side development. Service accounts belong to application or vm rather than an user.
Ideally u create a service account and assign specific roles to it and assign it to compute service or app engine so that the app or code running inside will have the specific permissions.
Understanding service accounts
https://cloud.google.com/iam/docs/understanding-service-accounts
Creating and enabling service accounts for instances
https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances
Notes
https://drive.google.com/file/d/1H5jZMEpg_i2BfjTSJCyzMnMkiaphxLrK/view
gcloud compute instances set-service-account
https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account
There are 3 types of permissions for service account
a. Primitive
b. Predefined roles ( ex: app to create a bucket and write and read docs, if ur code runs outside gcp generate a key else u need user managed keys ).
C. Custom roles ( ex: app to read but not write docs in bucket)
Authenticating service to access gcp resources.
There are 3 ways to access it and they are
Api keys Oauth 2.0 client ids Service accounts
You can use api keys + Oauth 2.0 client ids for front end applications and google drive apis Just Oauth 2.0 client ids and service accounts are used for backend app development.
Authenticating Using Oauth in spring boot app
Authenticating as a service account using Java
https://cloud.google.com/docs/authentication/production
Connect to google cloud from on prem using service accounts