Google Certified Associate Cloud Engineer 2020

Sign Up Free or Log In to participate!

service accounts owned by google

There seems to be little less information out there about service accounts owned and managed by google. However, IAM role used by such SAs named, Compute.serviceAgent, is a black box. Documentation says, "This service account is designed specifically for Google Compute Engine to perform its service duties on your project." I do not understand this clearly. I am not able to view what permissions are provided to the role Compute.serviceAgent.

1 Answers

Hello!  Sometimes, the best thing to do is to ask the IAM API, directly.  Here’s what it says when you run gcloud iam roles describe roles/compute.serviceAgent:

description: Gives Compute Engine Service Account access to assert service account

   authority. Includes access to service accounts.

etag: AA==


- cloudkms.cryptoKeyVersions.useToDecrypt

- cloudkms.cryptoKeyVersions.useToEncrypt

- compute.disks.createSnapshot

- compute.disks.list

- compute.snapshots.create

- compute.snapshots.delete

- compute.snapshots.get

- iam.serviceAccounts.getAccessToken

- iam.serviceAccounts.signJwt

- logging.logEntries.create

name: roles/compute.serviceAgent

stage: ALPHA

title: Compute Engine Service Agent

So, this is the complete list of permissions of what this role can do–it can:

  • Make, List, and Read snapshots of Compute Engine instances

  • Make, and List snapshots of Persistent Disks

  • Encrypt and Decrypt the above snapshots

  • Make tokens so that new Compute Engine instances can use Service Accounts

  • Log information about what’s going in within the service.

Does that help?



Thanks Mattias! I was somehow trying to describe service account itself. Should have tried the API. Thanks again.


None of google owned service accounts can be described using API.

Mattias Andersson

Indeed! Some of those are behind-the-scenes ones that we don’t usually interact with–so they don’t show up on the "Service accounts" screen but they do show up on the "IAM" / "Permissions for project" screen. But I’m very glad you’ve been digging into them, because it really helps your learning! 👍

Mattias Andersson

Here’s a quote from service account is designed specifically to run internal Google processes on your behalf and is not listed in the Service Accounts section of GCP Console. ... Google services rely on the account having access to your project, so you should not remove or change the service account’s role on your project. But you probably already knew that. 🙂

Mattias Andersson

And you’re welcome! I’m happy to help. 😊

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?