Cycle Service Accounts
How to Create a New Service Account
Steps
- Go to the Google Cloud Console:
- Select your project:
- Navigate to the Service Accounts page:
- Search for "Service Accounts" in the search bar.
- Create a new service account:
- Click the + CREATE SERVICE ACCOUNT button.
- Fill in the service account details:
- Service account name: Enter a descriptive name.
- Service account ID: Auto-generated, can be customized.
- Service account description: (Optional) Add a description.
- Click Create and continue.
- Create and download keys:
- Click on the newly created service account.
- Go to the Keys tab.
- Click Add Key > Create new key.
- Select JSON format and click Create.
- Download the JSON key file and keep it secure.
How to Create a Custom Role
Note: This is a one time step
Steps
- Go to the Google Cloud Console:
- Select your project or organization:
- Navigate to the IAM & Admin Roles page:
- Search for "Roles" in the search bar.
- Create a new custom role:
- Click the + CREATE ROLE button at the top.
- Fill in the role details:
- Title: Enter a descriptive name for the role.
- ID: This is auto-generated based on the title but can be customized.
- Description: Provide a clear description of what this role is for.
- Role Launch stage: Choose the launch stage
General Availability.
- Add permissions to the role:
- Click Add Permissions.
- Search for and select the permissions you want to include in this role. (get these from dev env role with name
Least Permission Custom Role) - You can add multiple permissions based on your needs.
- Click Add to confirm.
- Create the role:
- After adding permissions, click Create to finalize the custom role.
How to Assign a Custom Role to a Service Account in Google Cloud Platform (GCP)
Steps
- Go to the Google Cloud Console:
- Select your project:
- Navigate to the IAM page:
- Search for IAM
- Find the service account:
- Scroll or use the search bar to find the service account you want to assign the role to.
- Edit the service account’s permissions:
- Click the pencil icon (✏️) next to the service account entry to edit its roles.
- Add the custom role:
- In the Add another role dropdown, search for your custom role by name.
- Select the custom role you created.
- Save the changes:
- Click Save to apply the new role to the service account.
Note: if service account is not found in step 4, click on grant access on the same page, enter the service account email, this can be found in service account page, and then select a the required role
List of roles to add to service account
Predefined Roles to add
- Cloud Datastore User
- Cloud SQL Client
Custom role
- add the custom role created in How to Create a Custom Role
Things to note when adding role/permissions to service account
- If a predefined role exists with exactly the permissions you need, assign that role directly to the service account.
- If no predefined role matches your exact permission requirements, update the custom role with only the required permissions.
Service account from dev for reference firebase-adminsdk with least privileges
How to use this service account
Dev env
- Replace the service account json in all the places where old service account was being used
Higher Env
- The service account json saved in How to Create a New Service Account step should be converted to base64 and updated in github secrets
Status: Accepted
Category: Protected
Authored By: Gladson on May 05, 2025
Revisions.