There seems to be little less information out there about service accounts owned and managed by google. However, IAM role used by such SAs named, Compute.serviceAgent, is a black box. Documentation says, "This service account is designed specifically for Google Compute Engine to perform its service duties on your project." I do not understand this clearly. I am not able to view what permissions are provided to the role Compute.serviceAgent.
Hello! Sometimes, the best thing to do is to ask the IAM API, directly. Here’s what it says when you run
gcloud iam roles describe roles/compute.serviceAgent:
description: Gives Compute Engine Service Account access to assert service account authority. Includes access to service accounts. etag: AA== includedPermissions: - cloudkms.cryptoKeyVersions.useToDecrypt - cloudkms.cryptoKeyVersions.useToEncrypt - compute.disks.createSnapshot - compute.disks.list - compute.snapshots.create - compute.snapshots.delete - compute.snapshots.get - iam.serviceAccounts.getAccessToken - iam.serviceAccounts.signJwt - logging.logEntries.create name: roles/compute.serviceAgent stage: ALPHA title: Compute Engine Service Agent
So, this is the complete list of permissions of what this role can do–it can:
Make, List, and Read snapshots of Compute Engine instances
Make, and List snapshots of Persistent Disks
Encrypt and Decrypt the above snapshots
Make tokens so that new Compute Engine instances can use Service Accounts
Log information about what’s going in within the service.
Does that help?