0

I am just starting to use GCP and I have some questions about the service accounts.

Say there is a team of like 4 remotely located developers and we all want to use the python API to access GCP to launch instances and run stuff on them. My question is should every user get their own service account and keys or should one service account be shared by all? What is the intended use case here?

John Hanley
  • 74,467
  • 6
  • 95
  • 159
Luca
  • 10,458
  • 24
  • 107
  • 234

1 Answers1

1

Google Cloud Service Accounts provide both identity and authorization to Google Cloud.

They are similar to user accounts. If you would like to do auditing or logging of actions with service accounts, you will want to use separate service accounts per user.

Service accounts are typically used for software applications to authorize their actions with the Google Cloud APIs. Service Accounts are using to issue OAuth 2.0 Access Tokens and optionally OIDC Identity Tokens. These tokens are what provides your application with authorization in Google Cloud.

My question is should every user get their own service account and keys or should one service account be shared by all?

Yes, you should issue separate service account JSON key files to each developer. In the same way that you would not share usernames and passwords for computer systems, you would not share service accounts.

I have written a bunch of articles on Google Cloud Service Accounts that might help you understand how to configure and use them:

Google Cloud Service Accounts

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • Thank you. Can one service account have multiple keys or should they really be separate accounts? – Luca Nov 04 '19 at 00:25
  • I think the max number of keys per service account is 10. However, each key would have the same identity. Use different service accounts. The reason that service accounts support more than one key is for service account key rotation (one example). – John Hanley Nov 04 '19 at 01:02