Service Accounts Flashcards
Service Account
account that belongs to your application instead of to an individual end user.
This provides an identity for carrying out server-to-server interactions in a project without supplying user credentials.
Service accounts are identified by an email address
There are three types of service accounts:
user-created or custom,
built-in,
Google APIs service accounts.
built-in
By default, all projects come with a built-in Compute Engine default service account, it is automatically granted the Editor role on the project
Google APIs service accounts.
Apart from the default service account, all projects come with a Google Cloud APIs service account, identifiable by the email project-number@cloudservices.gserviceaccount.com.
authorization
legacy method of specifying permissions for your VM.
is the process of determining what permissions an authenticated identity has on a set of specified resources.
Scopes are used to determine whether an authenticated identity is authorized.
Now days method of specifying permissions for your VM.
Access scopes are actually a legacy method of specifying permissions for your VM.
Before the existence of IAM roles, access scopes were the only mechanism for granting permissions to service accounts.
For user-created service accounts use Cloud IAM roles instead to specify permissions.
Now, roles for service accounts can also be assigned to groups or users.
How can roles for service accounts be assigned to groups or users
you treat the service account as a resource and decide who can use it by provisioning users or a group with the Service Account User role.
how are service accounts authenticated?
By default, when using service accounts within Google Cloud, Google automatically manages the keys for service accounts.
However, if you want to be able to use service accounts outside of Google Cloud, or want a different rotation period, then it is possible to also manually create and manage your own service account keys.
default key rotation period for service account
two weeks
User-managed keys
User-managed keys can be managed by using the Cloud IAM API, the gcloud command-line tool, or the Service Account page in the Cloud Console.
User-managed keys should be used as a last resort.
Consider the other alternatives, such as short-lived service account credentials, (tokens) or service account impersonation.
granting roles to groups instead of individuals.
This allows you to update group membership instead of changing a Cloud IAM policy.
If you do this, make sure to audit membership of groups used in policies and control the ownership of the Google group used in Cloud IAM policies.
be very careful when granting the service accounts user role
because it provides access to all the resources of the service account has access to.
Cloud Identity Aware Proxy or Cloud IAP.
lets you establish a central authorization layer for applications accessed by HTTPS.
So you can use an application level access control model instead of relying on network level firewalls.
Applications and resources protected by Cloud IAP can only be accessed through the proxy by users and groups with the correct Cloud IAM role.
