Create a service account

The service-account module lets you create service accounts for your Google Cloud projects. By using this module, you can automate the creation of service identities and securely assign Identity and Access Management (IAM) roles. This automation ensures that your cluster resources have the exact permissions that they require to operate securely.

For the complete list of inputs and outputs for this module, see the service-account module page in the Cluster Toolkit GitHub repository.

Before you begin

Before you begin, verify that you meet the following requirements:

You have installed and configured Cluster Toolkit. For installation instructions, see Set up Cluster Toolkit.
For more information about creating and customizing blueprints, see Cluster blueprint.

Required roles

To get the permissions that you need to create service accounts and assign roles, ask your administrator to grant you the following IAM roles on your project:

Service Account Admin (roles/iam.serviceAccountAdmin)
Project IAM Admin (roles/resourcemanager.projectIamAdmin)

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Create a service account with project roles

The following example demonstrates how to create a service account named instance_acct and grant it specific roles across all resources within the project.

- id: service_acct
  source: modules/project/service-account
  settings:
    project_id: $(vars.project_id)
    name: instance_acct
    project_roles:
    - logging.logWriter
    - monitoring.metricWriter
    - storage.objectViewer

Use a service account with the startup-script module

When you use the service-account module alongside the startup-script module, the service account must have read access to the Cloud Storage bucket that contains the scripts. You can provide this access in one of the following ways:

Grant a project-wide role: Assign a role to the service account that grants read access to Cloud Storage buckets project-wide.
Assign access in startup-script module: Specify the service account as a bucket viewer in the startup-script module settings.

The following example demonstrates how to specify the service account as a bucket viewer:

- id: service_acct
  source: modules/project/service-account
  settings:
    project_id: $(vars.project_id)
    name: instance_acct
    project_roles:
    - logging.logWriter
    - monitoring.metricWriter

- id: script
  source: modules/scripts/startup-script
  settings:
    bucket_viewers:
    - $(service_acct.service_account_iam_email)

What's next

For the complete list of inputs and outputs for this module, see the service-account module page in the Cluster Toolkit GitHub repository.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-05-13 UTC.