Service account functionality in GCP

Question

My organization is using GCP, and we have service accounts created for me and my co-workers. We need to use BigQuery storage transfer service, Cloud Dataflow and other Google Cloud resources.

1)So, what will be the recommended way of creating the scheduling job or creating the resources. Shall we create it via our service accounts or create another service account for the project and use that to schedule and use resources?

2)If it is done via my organization provided service account, what happens when I leave the organization and my service account is deleted. Does the jobs and pipelines continue to run under that project, or the resources are stopped?

Answer 1

NOTE Stackoverflow is focused on programming questions and this is not a programming question but more a question for help with architecture (guidance).

Service Accounts are non-user identities supported by Google.

Service Accounts are intended to be used by software|processes.

Service Accounts are Google resources that are "owned" by Google Projects (not Organizations nor users).

Service Accounts are deleted by Project members (users or indeed other Service Accounts that may inherit Project-specific roles from an Organization).

If a user (i.e. you) were to leave the organization, your org admins would likely delete your user account. This would not delete any Service Accounts. However, if your user identity had unique roles in the organization (represented by IAM permissions in the Google Organization and/or Project(s)), access to resources including Service Accounts could become inaccessible. For this reason, good org hygiene recommends that admin-like roles be assigned to groups rather than individual users.

I think it's good practice to create Service Accounts for software|processes on a per function basis. Some job should have its own Service Account.

This approach results in more Service Accounts but, it enables each Service Account to be exquisitely suited (IAM roles|permissions) to its job.