Google Certified Associate Cloud Engineer 2020

Sign Up Free or Log In to participate!

GCE Default Service Account vs New Service Account for calling Google APIs

I found these 2 pages conflicting:

Link 1:

In general, Google recommends that each instance that needs to call a Google API should run as a service account with the minimum permissions necessary for that instance to do its job. In practice, this means you should configure service accounts for your instances with the following process:

1. Create a new service account rather than using the Compute Engine default service account.

2. Grant IAM roles to that service account for only the resources that it needs.

3. Configure the instance to run as that service account.

4. Grant the instance the scope to allow full access to all Google Cloud APIs, so that the IAM permissions of the instance are completely determined by the IAM roles of the service account.

Link 2:

If your application runs inside a Google Cloud environment that has a default service account, your application can retrieve the service account credentials to call Google Cloud API**s. Such environments include Compute Engine, Google Kubernetes Engine, App Engine, Cloud Run, and Cloud Functions. We recommend using this strategy because it is more convenient and secure than manually passing credentials.**

If anything can share some insights into it, that will be very helpful.

0 Answers

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?