Login/Register
What are the differences between GCP service accounts and user accounts?
Asked Answered
Solved google-cloud-platformgoogle-compute-enginegoogle-iam
H

3

7

I wanted to use a service account to manage VM instances on GCE remotely. It did not work. Therefore this question. One difference I found between a service account and a user account, after many hours of trial-error, is that there seems no way to use a service account to ssh in to a VM instance.

What are the other differences?

Links I found related to my question:

  1. https://groups.google.com/forum/#!topic/gce-discussion/Z6OMpVhvowQ
  2. Logging into google compute engine with a service account
Hispania answered 30/11, 2019 at 7:40 Comment(2)
Another reference on ssh using service account: cloud.google.com/compute/docs/tutorials/service-account-ssh. With user account one can use gcloud to connect a VM either has private or public IP. But with service account, I cannot see how it is possible to connect a VM without public IP.Hispania
I think in Google's terms, user account in my question could be Google account(cloud.google.com/iam/docs/overview#concepts_related_identity) who can sign in.Hispania
J
7

By design, service accounts in Google are meant for non human users. They are a type of account used by resources in your google project (i.e. compute engine service account, app engine service account and etc).

Service accounts are designed as a type of account that is used by your Google cloud resources to communicate with other Google cloud services i.e. GCE to App Engine to Cloud Function or App Engine to google APIS like: vision API, speech to text...), or App Engine to Cloud SQL, etc.

You may refer to google documentation here for more details:

Jerrelljerri answered 30/11, 2019 at 8:0 Comment(2)
I may have accidentally found out one difference: service account cannot have roles/iap.tunnelResourceAccessor.Hispania
Thanks @James Ching for the link which provides the comparisons.Hispania
C
8

The accepted answer is correct but lacks a deeper understanding of what credentials are in Google Cloud.

There are a number of types of credentials. User, Service Account, Group, Domain, etc. The difference is what the credentials represent and what is the authority for those credentials. Internally they are the same in regards to structure, content, etc.

All of the credential types are OAuth 2 credentials. A User Account credential is one that is issued by Google Accounts, G Suite or Identity Server. These credentials cannot be created by you or your software without Google. These credentials are issued by Google. Service Accounts, on the other hand, can create their own credentials as the service account contains the private key used to sign the credentials. The private key is used to create a Signed JWT that is then exchanged for OAuth Access Token, Refresh Token, and Identity Token. A Service Account is just a type of OAuth credential.

Google does not want User Credentials used to access Google Cloud resources except through the Google Cloud Console or Google Cloud SDK Tools and CLI. This is a security issue and design. Otherwise, the use and behavior are nearly identical except that some privileges cannot be assigned to some credential types.

Consultation answered 1/12, 2019 at 17:57 Comment(6)
In Google's design, ssh through tunnel is a managing job which can only be done by User Credentials.Hispania
@Hispania - For your example, correct. However, that is an enforcement by Goole and is not related to what credentials actually are. I create SSH tunnels all the time with and without service accounts. That is why I posted an additional answer. There are numerous details to understand.Consultation
Hi @John Hanley, did you use gcloud compute ssh for tunnelling with service account? My tests on --tunnel-through-iap leads me to say there is no iap support to service account. Did you set up tunnel with service account using 3rd party tools?Hispania
My own tools written in Go/Python.Consultation
I think this is the best answer for this question; +1. Could you please provide some link where we can read more about difference between User, Service Account, Group, Domain accounts?Contreras
I know this - cloud.google.com/iam/docs/overview... but if somewhere difference is explained explicitly then it will be helpful..Contreras
J
7

By design, service accounts in Google are meant for non human users. They are a type of account used by resources in your google project (i.e. compute engine service account, app engine service account and etc).

Service accounts are designed as a type of account that is used by your Google cloud resources to communicate with other Google cloud services i.e. GCE to App Engine to Cloud Function or App Engine to google APIS like: vision API, speech to text...), or App Engine to Cloud SQL, etc.

You may refer to google documentation here for more details:

Jerrelljerri answered 30/11, 2019 at 8:0 Comment(2)
I may have accidentally found out one difference: service account cannot have roles/iap.tunnelResourceAccessor.Hispania
Thanks @James Ching for the link which provides the comparisons.Hispania
O
0

You can also use service account impersonation - wherein your user credentials can be used to 'impersonate' a service account. The user credentials essentially gain all the access credentials of the SA in this case.

https://googlecloudarchitect.us/short-lived-access-tokens-in-gcp-service-account-impersonation/?swcfpc=1

Overbalance answered 14/2, 2024 at 14:18 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.