Service account

A service account is a special type of Google account used by applications or compute workloads, rather than individual users, to make authorized API calls. Each service account is uniquely identified by an email address. Applications can authenticate as the service account itself, gaining access to all resources the service account has permissions for. A common method is to attach a service account to a resource like a Compute Engine instance.

There are several types of service accounts in Google Cloud, including user-managed service accounts that you create, default service accounts created automatically by certain services, and service agents managed by Google Cloud to act on your behalf. Applications can obtain short-lived credentials or, less securely, use service account keys to authenticate.

Service accounts function as both principals and resources within IAM. As principals, you can grant them roles to access Google Cloud resources. As resources, you can grant other principals permissions to interact with the service account, such as allowing a user to impersonate it.

It's recommended to create the service account in the same project as the connector. For more information, see Creating a service account.

Note: When you're using a service account from a different Google Cloud project than the one where your connection is configured, you might encounter a PERMISSION_DENIED error with the message "Permission iam.serviceAccounts.getAccessToken denied". This error occurs because the default permissions granted to the Integration Connectors service agent (P4SA) don't extend across project boundaries. To resolve this, in the project that contains the service account, grant the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) to the Integration Connectors service agent. For more information, see Service account.