No, the service account that assigned to the instance it's running the gcloud command not the instance.
Permissions are granted by setting policies that grant roles to a user, group, or service account as a member of your project.
Example: The role "compute Instance Admin" can create, modify, and delete virtual machine instances, that's means all the instances in your project. You cannot specify for a specific instance.
The gcloud command below can be applied for the ABC instance or any other instances in your project.
gcloud compute instances delete ABC --zone <zone>
The permission compute.instances.delete is in these roles:
- Compute Admin
- Compute Instance Admin
- Project Editor
- Project Owner
You can as well create a custom Role that have mixed permissions and assign it to a service account that will, but you need to be sure that you set every permission required for the action.
Scopes is to Select the type and level of API access that you grant grant to the VM.
By Default: read-only access to Storage and Service Management, write access to Stackdriver Logging and Monitoring, read/write access to Service Control
But you can select which Cloud APIs that the VM I mean the service account can access.
