Google Cloud Platform

In Google Cloud Platform (GCP), a Service Account is used by applications, scripts, or services to access GCP resources. This document will run through creating a Service Account with a key file. The key file is a JSON file containing a private key that your application will use to authenticate itself when accessing GCP services.

Service Accounts provide a secure and manageable way for your applications to access GCP resources. Instead of using your personal GCP account, you can create a specific identity for your application, reducing security risks and improving accountability.

As the creator of the service account, you and your organization retain full control over access to your environment; if access needs to be removed, you have the ability to remove access by the service account.

Sign in to the Google Cloud Console

Sign in to the Google Cloud Console using your GCP account and locate the Identity and Access Management (IAM) service where identity and authentication are managed in GCP.

Create a new Service Account

In the IAM & Admin section, select "Service accounts" from the left-hand menu and click the "+ CREATE SERVICE ACCOUNT" button. Enter the following details:

• Service account name: how it will be identified in GCP. Feel free to choose something meaningful for this purpose that conforms with other
• Service account ID: a unique ID for the service account
• Role: which roles will be assigned to this Service Account. Generally, "Project" > "Editor" is a common choice.

Once ready, click "Create" to create the service account.

On the service account's details page, take note of and download the key file containing the private key. This key file will be used later.

Grant service account permissions

To allow your service account to see cost details of your resources, you will need to grant it the appropriate level of access. This can be done at the project level.

Sign in to the Google Cloud Console

Sign in to the Google Cloud Console using your GCP account and locate the IAM & Admin service where permissions are managed in GCP.

Add IAM policy binding

In IAM & Admin, click on the name of the project that you want to enroll. Select IAM in the left-hand menu, then click "ADD" to add a new IAM policy binding.

Two roles need to be added for the service account, to allow for sufficient access:

| Role | Description | |-|-| | roles/viewer | To allow the service account to see the resource and basic metadata about it such as tags | | roles/billing.viewer | To allow the service account to access the billing APIs in GCP |

To add each, click to highlight the role name when prompted to "Select a role," then click Next. With "Members" set to "Service account," enter the email address of the service account you created above, and once found select it. Then click "Save."

You will be presented with a summary screen with the information you have just provided. Confirm that it is correct, then click "ADD ANOTHER ROLE" to set the next permission. Repeat for all roles you may need to add to this project.