When you enable the Google Cloud Build service for a project, two service accounts are assigned roles within the project:
[PROJECT-ID]@cloudbuild.gserviceaccount.com
is assigned theCloud Build Service Account
Role, and is referred to in the Cloud Build documentation as the service account to which you want to grant additional permissions if you need your builds to perform functions such as deploying to AppEngine or Cloud Functions.service-[PROJECT-ID]@gcp-sa-cloudbuild.iam.gserviceaccount.com
is actually named "Cloud Build Service Account" and is granted theCloud Build Service Agent
Role in your project.
Unfortunately, for this latter service account, I can find no documentation. I'm assuming this is the account that actually triggers builds, whereas the other one is used by the running builds themselves.
Is that accurate?