This page explains how to create service accounts using the
Identity and Access Management (IAM) API, the Google Cloud console, and the
gcloud
command-
line tool.
By default, each project can have up to 100 service
accounts that control access to your resources. You can request a quota increase
if necessary.
Learn more about quotas and limits
.
Before you begin
Required roles
To get the permissions that you need to create service accounts,
ask your administrator to grant you the
Create Service Accounts
(
roles/iam.serviceAccountCreator
) IAM role on the project.
For more information about granting roles, see
Manage access
.
You might also be able to get
the required permissions through
custom
roles
or other
predefined
roles
.
If you want to grant newly created service accounts access to your project, you
also need the Project IAM admin (
roles/resourcemanager.projectIamAdmin
) role.
Create a service account
When you create a service account, you must provide an alphanumeric ID
(
SERVICE_ACCOUNT_NAME
in the samples below), such as
my-service-account
. The ID must be between 6 and 30 characters, and can
contain lowercase alphanumeric characters and dashes. After you create a service
account, you cannot change its name.
The service account's name appears in the email address that is provisioned
during creation, in the format
SERVICE_ACCOUNT_NAME
@
PROJECT_ID
.iam.gserviceaccount.com
.
Each service account also has a permanent, unique numeric ID, which is generated
automatically.
You also provide the following information when you create a service account:
DESCRIPTION
is an optional description for the
service account.
DISPLAY_NAME
is a friendly name for the service
account.
PROJECT_ID
is the ID of your Google Cloud project.
After you create a service account, you might need to wait for
60 seconds or more before you use the service account. This behavior
occurs because read operations are eventually consistent; it can take time for
the new service account to become visible. If you try to read or use a service
account immediately after you create it, and you receive an error, you can
retry the request with exponential backoff
.
Console
- In the Google Cloud console, go to the
Create service account
page.
Go to Create service account
school
The remaining steps will appear
automatically in the Google Cloud console.
- Select a Google Cloud project.
- Enter a service account name to display in the Google Cloud console.
The Google Cloud console generates a service account ID based on this
name. Edit the ID if necessary. You cannot change the ID later.
- Optional: Enter a description of the service account.
- If you don't want to set access controls now, click
Done
to finish
creating the service account.
To set access controls now, click
Create and continue
and continue to
the next step.
- Optional: Choose one or more
IAM roles
to grant to the service account on the project.
- When you are done adding roles, click
Continue
.
- Optional: In the
Service account users role
field, add members that need to
attach the service account to other resources
.
- Optional: In the
Service account admins role
field, add members that need to manage the service account.
- Click
Done
to finish creating the service account.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
Activate Cloud Shell
At the bottom of the Google Cloud console, a
Cloud Shell
session starts and displays a command-line prompt. Cloud Shell is a shell environment
with the Google Cloud CLI
already installed and with values already set for
your current project. It can take a few seconds for the session to initialize.
-
To create the service account, run the
gcloud iam service-accounts create
command:
gcloud iam service-accounts create
SERVICE_ACCOUNT_NAME
\
--description="
DESCRIPTION
" \
--display-name="
DISPLAY_NAME
"
Replace the following values:
-
SERVICE_ACCOUNT_NAME
: the name of the service account
-
DESCRIPTION
: an optional description of the
service account
-
DISPLAY_NAME
: a service account name to display in
the Google Cloud console
-
Optional: To grant your service account an
IAM role
on your project, run the
gcloud projects add-iam-policy-binding
command:
gcloud projects add-iam-policy-binding
PROJECT_ID
\
--member="serviceAccount:
SERVICE_ACCOUNT_NAME
@
PROJECT_ID
.iam.gserviceaccount.com" \
--role="
ROLE_NAME
"
Replace the following values:
-
PROJECT_ID
: the project ID
-
SERVICE_ACCOUNT_NAME
: the name of the service account
-
ROLE_NAME
: a role name, such as
roles/compute.osLogin
-
Optional: To allow users to
attach the service account to
other resources
, run the
gcloud
iam service-accounts add-iam-policy-binding
command to grant a
user the Service Account User role
(
roles/iam.serviceAccountUser
) on the service account:
gcloud iam service-accounts add-iam-policy-binding \
SERVICE_ACCOUNT_NAME
@
PROJECT_ID
.iam.gserviceaccount.com \
--member="user:
USER_EMAIL
" \
--role="roles/iam.serviceAccountUser"
Replace the following values:
PROJECT_ID
: the project ID
SERVICE_ACCOUNT_NAME
: the name of the
service account
USER_EMAIL
: the email address for the
user
REST
The
serviceAccounts.create
method creates a service account.
Before using any of the request data,
make the following replacements:
PROJECT_ID
: Your Google Cloud project
ID. Project IDs are alphanumeric strings, like
my-project
.
SA_NAME
: The alphanumeric ID of your
service account. This name must be between 6 and 30 characters, and can contain lowercase
alphanumeric characters and dashes.
SA_DESCRIPTION
: Optional. A description for
the service account.
SA_DISPLAY_NAME
: A human-readable
name for the service account.
HTTP method and URL:
POST https://iam.googleapis.com/v1/projects/
PROJECT_ID
/serviceAccounts
Request JSON body:
{
"accountId": "
SA_NAME
",
"serviceAccount": {
"description": "
SA_DESCRIPTION
",
"displayName": "
SA_DISPLAY_NAME
"
}
}
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Save the request body in a file named
request.json
,
and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://iam.googleapis.com/v1/projects/
PROJECT_ID
/serviceAccounts"
PowerShell (Windows)
Save the request body in a file named
request.json
,
and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://iam.googleapis.com/v1/projects/
PROJECT_ID
/serviceAccounts" | Select-Object -Expand Content
APIs Explorer (browser)
Copy the request body and open the
method reference page
.
The APIs Explorer panel opens on the right side of the page.
You can interact with this tool to send requests.
Paste the request body in this tool, complete any other required fields, and click
Execute
.
You should receive a JSON response similar to the following:
{
"name": "projects/my-project/serviceAccounts/my-service-account@my-project.iam.gserviceaccount.com",
"projectId": "my-project",
"uniqueId": "123456789012345678901",
"email": "my-service-account@my-project.iam.gserviceaccount.com",
"displayName": "My service account",
"etag": "BwUp3rVlzes=",
"description": "A service account for running jobs in my project",
"oauth2ClientId": "987654321098765432109"
}
After you create a service account,
grant one or more roles to the service account
so that it can act on your behalf.
Also, if the service account needs to access resources in other projects, you
usually must
enable the APIs
for those resources in the project
where you created the service account.
What's next
Try it for yourself
If you're new to Google Cloud, create an account to evaluate how our
products perform in real-world scenarios. New customers also get $300 in
free credits to run, test, and deploy workloads.
Get started for free