1. Overview
    1. A special account used by services and applications
    2. Apps use service account credentials for authentication
    3. Firewall rules can be applied based on service accounts
    4. A service account is an identity used to run API requests
    5. Service accounts can create and manage instances and other resources based on assigned roles
    6. An instance can have only one service account
    7. Service account must be created in the same project as the instance
    8. User-managed and Google-managed service accounts can be assigned to instances
  2. User-managed
    1. Includes service accounts explicitly created and the Compute Engine default service account
    2. Users can create and manage own service accounts using Cloud IAM
    3. Grant service accounts IAM roles and set up instances to run as the service account
    4. Apps can use a account's credentials to make requests to Google APIs
    5. New projects come with the Compute Engine default service account
    6. Default service account is automatically added to projects
    7. Limit Google APIs the default service account can access
    8. Delete default service account might cause some applications fail
    9. Default service account is automatically created
    10. Default service account is enabled by default on instances created by the gcloud and Console
    11. Users can specify a service account when creating an instance
    12. Access scopes define the default OAuth scopes for client libraries and gcloud requests
    13. Access scopes limit access to API methods when authenticating through OAuth
    14. Access scopes does not extend to other authentication protocols like gRPC
    15. Set full cloud-platform access scope on instance, and securely limit access using IAM roles
    16. Default service account is not enabled on instances created using API directly
    17. Default service account can be enabled by explicitly specifying it as part of the request payload
  3. Google-managed
    1. Created and managed by Google and assigned to projects automatically
    2. Represent Google services and each account has some level of access to Google Cloud project
    3. The default services account is used to run internal Google processes on the user's behalf
    4. The default services account is used by Compute Engine to perform its service duties
    5. It relies on the Service Agent IAM Policy granted on the Google Cloud Project
    6. By default, the account is automatically granted the project editor role
    7. This service account is only deleted when the project is deleted
    8. Users can change the roles granted to this account, including revoking all access to project
    9. Managed instance groups and autoscaling use the credentials of this account
  4. Permissions
    1. When an instance runs as a service account, the level of access is determined by the IAM roles
    2. If the service account has no IAM roles, no API methods can be run using the service account
    3. Access scopes determine the default OAuth scopes for gcloud and client library requests
    4. Access scopes potentially further limit access to API methods when authenticating through OAuth
    5. Access scopes do not extend to other authentication protocols like gRPC
    6. The best practice is to set the full cloud-platform access scope on instance, and limit using IAM roles
    7. If cloud-platform access scope is enabled, access is limited to predefined IAM roles assigned
    8. If a more restrictive scope is granted, requests for more generous access via predefined roles are denied
  5. Roles
    1. Grant appropriate IAM roles to service account to enable access to relevant API methods
    2. IAM roles are account-specific, and any instance running as a service account can use the role
    3. If there isn't a predefined IAM role for the access level needed, grant a primitive role
    4. Access scopes must be set on an instance to authorize access
    5. A service account's access level is determined by the IAM roles granted to the service account
    6. An instance's access scopes determine the default OAuth scopes for gcloud and client library requests
    7. Access scopes further limit access to API methods when authenticating through OAuth
    8. Access scopes are the legacy method of specifying permissions for instance
    9. Access scopes are not a security mechanism. They define the default OAuth scopes used
    10. Access scopes have no effect when making requests not authenticated through OAuth
    11. Must set up access scopes when configuring an instance to run as a service account
    12. Set full cloud-platform access scope on the instance, and securely limit API access with Cloud IAM roles
    13. Access scopes apply on a per-instance basis
    14. Access scopes persists only for the life of the instance
    15. Access scopes have no effect if related API is not enabled