A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls.

For instance, maybe you have an application running in a virtual machine that needs to store data in Google Cloud Storage, but you don’t want to let just anyone on the Internet have access to that data, only that virtual machine.

So, you’d create a service account to authenticate your VM to cloud storage. Service accounts are named with an email address. 

But instead of passwords, they use cryptographic keys to access resources.  This way the service account is the identity of the service, and the service account’s permissions control which resources the service can access.

A service account is identified by its email address, which is unique to the account.

Differences between a service account and a user account

  • Service accounts do not have passwords, and cannot log in via browsers or cookies.
  • Service accounts are associated with private/public RSA key-pairs that are used for authentication to Google.
  • Cloud IAM permissions can be granted to allow other users (or other service accounts) to impersonate a service account.
  • Service accounts are not members of your G Suite domain, unlike user accounts. For example, if you share assets with all members in your G Suite domain, they will not be shared with service accounts. Similarly, any assets created by a service account cannot be owned or managed by G Suite admins.