Does gce's default service account enable when I set my service account?

1
votes

About GCP Service Account

From the web console, I launched a GCE instance using the service account X I created.

If you request http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/ from within the instance

/ my-service-account-X @ foo
/ default

Was returned. Is the default service account enabled even if I set the service account X?

If so, what about the permissions?
The default service account has strong permissions and is restricted by scope, but if you configure it according to best practices and use service account X, scope is cloud-platform. In other words, if you use the API key obtained by accessing http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/apikey, you can access APIs that are not allowed by service account X?

Also, does service account X need to include permissions included in the default service account, such as writing logs?

1
google-cloud-platformservice-accounts

1 Answers

2
votes

Both results actually reference the same service account, in your case "my-service-account-X @ foo". You can confirm this by getting a token from both. For example, for default:

curl http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token -H "Metadata-Flavor: Google"

You'll see you actually get the same token from both default and my-service-account-X@foo. It is "aliased" to default so that you can use Application Default Credentials easily from your instance.