There seems to be little less information out there about service accounts owned and managed by google. However, IAM role used by such SAs named, Compute.serviceAgent, is a black box. Documentation says, "This service account is designed specifically for Google Compute Engine to perform its service duties on your project." I do not understand this clearly. I am not able to view what permissions are provided to the role Compute.serviceAgent.
Hello! Sometimes, the best thing to do is to ask the IAM API, directly. Here’s what it says when you run
gcloud iam roles describe roles/compute.serviceAgent:
description: Gives Compute Engine Service Account access to assert service account authority. Includes access to service accounts. etag: AA== includedPermissions: - cloudkms.cryptoKeyVersions.useToDecrypt - cloudkms.cryptoKeyVersions.useToEncrypt - compute.disks.createSnapshot - compute.disks.list - compute.snapshots.create - compute.snapshots.delete - compute.snapshots.get - iam.serviceAccounts.getAccessToken - iam.serviceAccounts.signJwt - logging.logEntries.create name: roles/compute.serviceAgent stage: ALPHA title: Compute Engine Service Agent
So, this is the complete list of permissions of what this role can do–it can:
Make, List, and Read snapshots of Compute Engine instances
Make, and List snapshots of Persistent Disks
Encrypt and Decrypt the above snapshots
Make tokens so that new Compute Engine instances can use Service Accounts
Log information about what’s going in within the service.
Does that help?
Thanks Mattias! I was somehow trying to describe service account itself. Should have tried the API. Thanks again.
None of google owned service accounts can be described using API.
Indeed! Some of those are behind-the-scenes ones that we don’t usually interact with–so they don’t show up on the "Service accounts" screen but they do show up on the "IAM" / "Permissions for project" screen. But I’m very glad you’ve been digging into them, because it really helps your learning! 👍
Here’s a quote from https://cloud.google.com/iam/docs/service-accounts#google-managed_service_accounts —
This service account is designed specifically to run internal Google processes on your behalf and is not listed in the Service Accounts section of GCP Console. ... Google services rely on the account having access to your project, so you should not remove or change the service account’s role on your project.But you probably already knew that. 🙂
And you’re welcome! I’m happy to help. 😊