IAM Roles and Service Accounts

Intermediate10 minTrending

Create service accounts, assign IAM roles, and manage permissions for secure access to GCP resources.

Prerequisites

-gcloud CLI installed
-Project Owner or IAM Admin role

Steps

Create a service account

Creates a service account that applications use to authenticate to GCP APIs.

$ gcloud iam service-accounts create myapp-sa --display-name "My App Service Account" --description "Service account for myapp"

Grant a role to the service account

Assigns the Storage Object Viewer role, granting read-only access to Cloud Storage objects.

$ gcloud projects add-iam-policy-binding my-project-id --member "serviceAccount:myapp-sa@my-project-id.iam.gserviceaccount.com" --role "roles/storage.objectViewer"

Follow the principle of least privilege. Grant the narrowest role that meets the requirement.

Create and download a key file

Generates a JSON key file for authenticating as the service account.

$ gcloud iam service-accounts keys create key.json --iam-account myapp-sa@my-project-id.iam.gserviceaccount.com

Key files are long-lived credentials. Prefer Workload Identity Federation for production. Never commit key files to version control.

List IAM policy bindings

Displays all role bindings in the project in a readable table.

$ gcloud projects get-iam-policy my-project-id --flatten="bindings[].members" --format="table(bindings.role, bindings.members)"

Revoke a role

Removes the specified role from the service account.

$ gcloud projects remove-iam-policy-binding my-project-id --member "serviceAccount:myapp-sa@my-project-id.iam.gserviceaccount.com" --role "roles/storage.objectViewer"

Full Script

full-script.sh

# IAM roles and service accounts
gcloud iam service-accounts create myapp-sa --display-name "My App Service Account" --description "Service account for myapp"
gcloud projects add-iam-policy-binding my-project-id --member "serviceAccount:myapp-sa@my-project-id.iam.gserviceaccount.com" --role "roles/storage.objectViewer"
gcloud iam service-accounts keys create key.json --iam-account myapp-sa@my-project-id.iam.gserviceaccount.com
gcloud projects get-iam-policy my-project-id --flatten="bindings[].members" --format="table(bindings.role, bindings.members)"
gcloud projects remove-iam-policy-binding my-project-id --member "serviceAccount:myapp-sa@my-project-id.iam.gserviceaccount.com" --role "roles/storage.objectViewer"

FAQ

Discussion

Loading comments...

# IAM roles and service accounts gcloud iam service-accounts create myapp-sa --display-name "My App Service Account" --description "Service account for myapp" gcloud projects add-iam-policy-binding my-project-id --member "serviceAccount:myapp-sa@my-project-id.iam.gserviceaccount.com" --role "roles/storage.objectViewer" gcloud iam service-accounts keys create key.json --iam-account myapp-sa@my-project-id.iam.gserviceaccount.com gcloud projects get-iam-policy my-project-id --flatten="bindings[].members" --format="table(bindings.role, bindings.members)" gcloud projects remove-iam-policy-binding my-project-id --member "serviceAccount:myapp-sa@my-project-id.iam.gserviceaccount.com" --role "roles/storage.objectViewer"