Workspace vs Project Level
Service accounts can be created at two levels:- Workspace level — Has access governed by workspace IAM policies. Suitable for cross-project automation.
- Project level — Scoped to a single project, following the principle of least privilege. Suitable for isolated automation within one project.
Create a Service Account
- For workspace-level: go to IAM & Admin > Service Accounts tab and click Add Service Account.
- For project-level: go to Project > Manage > Service Accounts and click Add Service Account.
Service accounts cannot be part of user groups. Since service accounts are for automated processes with specific access needs, including them in groups could grant unintended permissions. This is considered an anti-pattern.
Service Account vs Workload Identity
| Service Account | Workload Identity | |
|---|---|---|
| Credential | Long-lived API key | Short-lived OIDC token |
| Best for | Scripts, Terraform, general API access | CI/CD pipelines (GitHub Actions, GitLab CI) |
| Security | Key must be stored as a secret | No secrets to manage |