🦄

Claudio Petrini

GCP concepts

What is service account ?

A service account is a special kind of account used by an application rather than a person.Service accounts are managed by Identity and Access Management(IAM).

Service account can be of two types:

  1. user managed service accounts
  2. Google managed service accounts (service agents)

Only user managed service accounts can be attached to a Compute Engine instance.

GCE default service account (user managed):

PROJECT_NUMBER-compute@developer.gserviceaccount.com

Google-managed service accounts are used by the instance to access internal processes on your behalf.

GCE identifiable email:

PROJECT_NUMBER@cloudservices.gserviceaccount.com

Authorization of a GCE instance

Authorization is limited by:

  1. roles of the service account
  2. access scopes set on the instance

Both of these configuration must allow access before application can access a resource.

Default scopes of a GCE instance:

A new Compute Engine instance is automatically configured with the following access scopes:

  • Read-only access to Cloud Storage https://www.googleapis.com/auth/devstorage.read_only
  • Write access to write Compute Engine logs: https://www.googleapis.com/auth/logging.write
  • Write access to publish metric data to your projects: https://www.googleapis.com/auth/monitoring.write
  • Write access to Cloud Trace https://www.googleapis.com/auth/trace.append

Best practice is to set the cloud-platform (https://www.googleapis.com/auth/cloud-platform) access scope and control service by granting it IAM roles.

Previous

SOLID #1: Single responsibilty

Next

SOLID principle #2: Open-Closed

Made with love in Rome.