GCP - Service Account vs Service Agent
Service Agent is one kind of Service Account. Service Account can be:
- User-managed Service Account:
- managed by users.
- the identity of the workload in GCP.
- for user owned resources accessing other GCP resources.
- for example, user owns a GCE instance and a GCS bucket, a service account can be attached to the GCE instance, it will be used to authn and authz when writting to the GCE bucket.
- format:
[email protected]; 1234 is the project id, it is on the right side of@, indicates that it is owned by this user project.
- Service Agent:
- managed by Google Cloud.
- allowing GCP services to access resources on your behalf.
- for example, user owns a GCS bucket; Cloud Logging want to write logs to the bucket, it can use a service agent to get access.
- format:
[email protected]; 5678 is the org id, it is on the left side of@indicates it is not the owner; CIEM is on the right side, so this is a CIEM service agent for the org 5678.
Note:
- for per-project service agents, even though Service Agents are actually service accounts owned by a producer project owned by Google, GCP infrastructure treats them as if they were owned by their associated consumer resource.
- service agents are using the new format
service-{project-number|org-id}@{service}.iam.gserviceaccount.com, which specifies both the GCP service (on the right side of@), and the customer resource container (on the left side of@); the following legacy types of service accounts are no longer used:- Cloud Service Robot: one SA for all services to access one customer project
{projectnumber}@cloudservices.gserviceaccount.com - one SA for a service to access all customer projects:
{servicename}@system.gserviceaccount.com
- Cloud Service Robot: one SA for all services to access one customer project
- service agent: service =1