Overview
Service accounts are a special type of Google account that grant permissions to virtual machines instead of end users. Your application uses the service account to call the Google API of a service
This way the service account is the identity of the service, and the service account’s permissions control which resources the service can access
A service account is identified by its email address, which is unique to the account.
Type of Service Accounts
User-managed service accounts
When you create a new Cloud project using Cloud Console and if Compute Engine API is enabled for your project, a Compute Engine Service Account is created for you by default. It is identifiable using the email :
PROJECT_NUMBER-compute@developer.gserviceaccount.com
Google-managed service accounts
In addition to the user-managed service accounts, you might see some additional service account in your project’s IAM policy or in the Cloud Console. These service accounts are created and owned by Google. These accounts represent different Google services and each account is automatically granted IAM roles to access your Google Cloud Project
Gogle APIs service accounts
An example of a Google-managed service account is a Google API service account identifiable using the email.
PROJECT_NUMBER@cloudservices.gserviceaccount.com
This service account is designed specifically to run internal Google processes on your behalf and is not listed in the Service Accounts section of Cloud Console. By default, the account is automatically granted the project editor role on the project and is listed in the IAM section of Cloud Console. This service account is deleted only when the project is deleted. Google services rely on the account
Creating and Managing Service Accounts
When you create a new Cloud project, Google Cloud automatically creates One Compute engine service account and one App Engine service account under that project. You can create up to 98 additional service accounts to your project to control access to your resources.
Creating a service account
Creating a service account is similar to adding a member to your project, but the service account belongs to your applications rather than an individual end user.
To create a service account, run the following command in Cloud Shell:
gcloud iam service-accounts create my-sa-123 --display-name "my service account"
The output of this command is the service account, which will look similar to the following:
Created service account [my-sa-123]
Granting Roles to Service Accounts
When granting IAM roles, you can treat a service account either as a resource or as an identity.
Your application uses a service account as an identity to authenticate to Google Cloud service. For example, if you have a Compute Engine Virtual Machine (VM) running as a service account, you can grant the editor role to the service account (the identity) for a project (the resource).
At the same time, you might also want to control who can start the VM. You can do this by granting a user (the identity) the serviceAccountUser role for the service account (the resource)
Granting roles to a service account for specific resources
You grant roles to a service account so that the service account has permission to complete specific actions on the resources in your Cloud Platform project. For example, you might grant the storage.admin role to a service account so that it has control over objects and buckets in Cloud Storage.
Run the following in Cloud Shell to grant roles to the service account you just made:
gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID --member serviceAccount:my-sa-123@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --role roles/editor
Understanding Roles
When an identity calls a Google Cloud API, Google Cloud Identity and Access Management requires that the identity has the appropriate permissions to use the resource. You can grant permissions by granting roles to a user, a group, or a service account
Types of Roles
- Primitive roles
- include the Owner, Editor, and Viewer roles that existed prior to the introduction of Cloud IAM.
- Predefined roles
- provide granular access for a specific service and are managed by Google Cloud.
- Custom roles
- provide granular access according to a user-specified list of permissions.
Use the Client Libraries to Access BigQuery from a Service Account
Navigation menu > IAM & Admin > + Create Service Account
Name : bigquery-qwiklab
Role : BigQuery Data Viewer, BigQuery User
Create Compute Engine instance
SSH Connect
sudo apt-get update
sudo apt-get install virtualenv
virtualenv -p python3 venv
source venv/bin/activate
(venv)sudo apt-get install -y git python3-pip
(venv)pip install google-cloud-bigquery
(venv)pip install pandas
Create python file
echo "
from google.auth import compute_engine
from google.cloud import bigquery
credentials = compute_engine.Credentials(
service_account_email='YOUR_SERVICE_ACCOUNT')
query = '''
SELECT
year,
COUNT(1) as num_babies
FROM
publicdata.samples.natality
WHERE
year > 2000
GROUP BY
year
'''
client = bigquery.Client(
project='YOUR_PROJECT_ID',
credentials=credentials)
print(client.query(query).to_dataframe())
" > query.py
Change ‘YOUR_PROJECT_ID’
sed -i -e "s/YOUR_PROJECT_ID/$(gcloud config get-value project)/g" query.py
Change ‘YOUR_SERVICE_ACCOUNT’
sed -i -e "s/YOUR_SERVICE_ACCOUNT/bigquery-qwiklab@$(gcloud config get-value project).iam.gserviceaccount.com/g" query.py
Run (failure but fix it)
python query.py
(venv) student-04-f226424281f6@bigquery-instance:~$ python query.py
Traceback (most recent call last):
File "query.py", line 23, in <module>
print(client.query(query).to_dataframe())
File "/home/student-04-f226424281f6/venv/lib/python3.7/site-packages/google/cloud/bigquery/job/query.py", line 1346, in to_dataframe
date_as_object=date_as_object,
File "/home/student-04-f226424281f6/venv/lib/python3.7/site-packages/google/cloud/bigquery/table.py", line 1867, in to_dataframe
create_bqstorage_client=create_bqstorage_client,
File "/home/student-04-f226424281f6/venv/lib/python3.7/site-packages/google/cloud/bigquery/table.py", line 1662, in to_arrow
raise ValueError(_NO_PYARROW_ERROR)
ValueError: The pyarrow library is not installed, please install pyarrow to use the to_arrow() function.
pip install pandas-gbq==0.14.0
(venv) student-04-f226424281f6@bigquery-instance:~$ python query.py
year num_babies
0 2006 4273225
1 2001 4031531
2 2007 4324008
3 2003 4096092
4 2004 4118907
5 2002 4027376
6 2005 4145619
7 2008 4255156
(venv) student-04-f226424281f6@bigquery-instance:~$