What is the difference between the Cloud Build Service Account and Service Agent?

4
votes

When you enable the Google Cloud Build service for a project, two service accounts are assigned roles within the project:

  • [PROJECT-ID]@cloudbuild.gserviceaccount.com is assigned the Cloud Build Service Account Role, and is referred to in the Cloud Build documentation as the service account to which you want to grant additional permissions if you need your builds to perform functions such as deploying to AppEngine or Cloud Functions.

  • service-[PROJECT-ID]@gcp-sa-cloudbuild.iam.gserviceaccount.com is actually named "Cloud Build Service Account" and is granted the Cloud Build Service Agent Role in your project.

Unfortunately, for this latter service account, I can find no documentation. I'm assuming this is the account that actually triggers builds, whereas the other one is used by the running builds themselves.

Is that accurate?

2
google-cloud-platformgoogle-cloud-buildgoogle-cloud-iam

2 Answers

2
votes

Any service that has "Agent" in the service account description should be left alone. These service accounts are used by the service for authorization to Google Cloud services that it requires to operate. These service accounts are owned/managed/controlled by Google Cloud. If you remove permissions from this service account, the service usually breaks (stops working correctly).

The Cloud Build Service Agent has permissions to manage/create resources in Google Cloud in your project that it needs to operate. This link provides documentation for these permissions.

1
votes

According to official documentation Understanding roles:

Cloud Build Service Account can perform builds

Cloud Build Service Agent (Alpha) gives Cloud Build service Account access to managed resources