I have created service account in Google cloud, but I am not able to either sign-in or perform other actions with that account. Please help me on this.
I need to perform actions in Admin console for which I need to sign in as super administrator of the G Suite domain, also enabled Gsuite Domain-wide delegation, but still getting error while trying to access/sign-in service account.
Admin console steps
Domain Delegation
Service account signin error
A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs, I mean , it is an account used by an application or a virtual machine (VM) instance, not a person, so you can't login into the Admin Console with your Service Account.
Please take a look at this documentation for further details: Understanding service accounts
According to the official documentation
These are the differences between a service account and a user account:
- Service accounts do not have passwords, and cannot log in via browsers or cookies.
- Service accounts are associated with private/public RSA key-pairs that are used for authentication to Google.
- You can let other users or service accounts impersonate a service account.
- Service accounts are not members of your Google Workspace domain, unlike user accounts. If you share Google Workspace assets, like docs or events, with all members in your Google Workspace domain, they are not shared with service accounts. Similarly, Google Workspace assets created by a service account are not created in your Google Workspace domain. As a result, your Google Workspace and Cloud Identity admins can't own or manage these assets.
It is worth mentioning that you can use domain-wide delegation to grant third-party and internal applications access to your users' data, but not a person. App developers and administrators can create service accounts with OAuth 2.0. Then, you authorize the service accounts to access your users' data without requiring each user to give consent,
Typical apps granted domain-wide delegation are:
- Google Workspace migration and sync tools
- Internal apps (for example, automation apps) that developers create for your organization. For example, you can delegate access to an application that uses the Calendar API to add events to your users' calendars.
- Three-legged OAuth apps, which normally require individual user consent. Users activate apps without being prompted for consent, and you can specify the user data that the apps can access.
You can obtain more information in this link: Control API access with domain-wide delegation
