Skip to main content

Creating and Managing GCP Service Accounts

Hands-On Lab


Photo of Matthew Ulasien

Matthew Ulasien

Team Lead Google Cloud in Content





Unlike standard IAM member accounts, service accounts are used by applications, services, or VM instances and not people. Nonetheless, the two types of accounts share many of the same features, including the ability to be assigned pre-defined or custom roles. But, of course, there are differences such as the technique for associating a VM instance with a service account.

In this hands-on lab, you'll work with service accounts in a variety of ways: creating, editing, disabling, enabling, assigning IAM roles, and attaching a service account to a VM instance.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Creating and Managing GCP Service Accounts

In this lab, we are building a new app. We've been asked to take ownership of the required IAM service account. To do this, we'll need to create a new account, edit the account once it's been created, and figure out how to disable and re-enable the account if necessary. Once we have that done, we need to assign an IAM role to the account after it has been created before attaching the service account to a virtual machine. Once finished, we'll delete the account.

Before We Begin

To start this lab, we need to log in to the Google Cloud Platform using the provided credentials.

Create a Service Account

Our first task is to create a service account. To do so, we need to go to the Google Cloud console's main navigation and choose IAM & admin then Service accounts. Here, select Create Service Account. On the Create Service Account page, in the Service account name field, enter a name; for this example, we're using App Team Service Account. The Service account ID will automatically fill. As we don't need a description, click Create.

We are taken to the Service account permissions page. We do not need to provide any permissions, so leave it as the default and click Continue.

On the next page, leave the first section blank and go to the Create key (optional) section. In here, select Create Key. A side-panel appears. Here, set the Key Type to JSON and click Create. We are prompted to save the key, which we can do wherever we would like. Once it is saved, click Close and then Done.

Edit the Service Account

If we ever wanted to change the service account, under the Action column for that item, select the three-dot Action button and then choose Edit. We need to add a description in theDescription field. For this lab, we'll use For development only. Now, click Save. We see that our description has populated the Description column on the table.

Disable and Enable Service Account

With this same service account, let's practice disabling and then re-enabling a service account. To do so, select the three-dot Actions button and choose Disable. In the dialog that appears, click Disable. Under the status column, the checkmark will become a gray circle with a white line.

Enabling it again is a similar process. Once again, select the associated Actions icon, though this time, we will find the Disable button has now become Enable. Choose Enable. In the dialog that appears, click Enable. The status changes back to a green checkmark.

Assign IAM Roles to Service Account

Now, we want to assign an IAM role to the account we created. To do so, copy the email from the account we created. Next, from the IAM navigation, choose IAM. With the Members tab selected, click Add at the top of the screen.

In the Add Members panel, we need to paste the copied email address into the New Members field. Next, in the Select a role field, choose Viewer for our account, then click Save. In the list of members, a new member with our service account attached appears.

Attach the Service Account to a VM Instance

With our role set, we need to attach our service account to a VM instance. To do so, go back to the main Google Cloud navigation, and choose Compute Engine then VM Instances. On the page that appears, select Create. We want to leave most of these values as their defaults. The only change we'll be making is in the Identity and API Access section. Here, select the Service account list and choose the App Team Service Account entry. Once selected, click Create.

Delete the Service account

Finally, let's delete this service account. To do so, go back to the Google Cloud console's main navigation and choose IAM & admin then Service accounts. Select the associated Actions icon and choose Delete from the list. In the dialog that appears, click Delete. The service account disappears from the list.


Upon completing this lab, we are now able to create a service account, edit it, enable and disable them, assign them to an IAM role and a VM Instance, and how to delete a service account. Congratulations, you've completed the lab!