Connect using service accounts

This document describes how to use a service account to connect to Compute Engine virtual machine (VM) instances using SSH. Setting up SSH for a service account enables you to configure apps to use SSH, which can help you to automate your workloads.

Before you begin

Create a service account.
If you haven't already, then set up authentication. Authentication is the process by which your identity is verified for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:
1. After installing the Google Cloud CLI, initialize it by running the following command:
```
gcloud init
```
  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
  
  Note: If you installed the gcloud CLI previously, make sure you have the latest version by running gcloud components update.
2. Set a default region and zone.

Manually connect to VMs as a service account

To connect to VMs as a service account, use one of the following methods:

Directly impersonate service account

Permissions required for this task

To perform this task, you must have the following permissions:

All the permissions included in the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator), on the service account. For details about how to grant this role on a singular service account, see Manage access to service accounts.
If you use OS Login, you require all the permissions included one of the OS Login IAM roles on the service account.
If you don't use OS Login, the service account also requires the compute.projects.setCommonInstanceMetadata permission.

Use the gcloud CLI --impersonate-service-account flag to connect directly to a VM using a service account's identity. Run the following command to connect to a VM as a service account:

gcloud compute ssh VM_NAME \
    --impersonate-service-account=SERVICE_ACCOUNT_EMAIL

Replace the following:

VM_NAME: the name of the VM you want to connect to the service account as.
SERVICE_ACCOUNT_EMAIL: the email address associated with the service account.

Impersonate service account from a VM

Permissions required for this task

To perform this task, you must have the following permissions:

All permissions included in the Service Account User role (roles/iam.serviceAccountUser) on the service account and your user account. For details about how to grant this role on a singular service account, see Manage access to service accounts.
If you use OS Login, you require all the permissions included one of the OS Login IAM roles on the service account and your user account.
If you don't use OS Login, you also require the compute.projects.setCommonInstanceMetadata permission on the service account and your user account.

You must additionally assign your service account to a VM and set the cloud-platform access scope on the VM.

Impersonate a service account from another VM by doing the following:

Connect to the VM that runs as a service account.
From the VM that runs as a service account, connect to other VMs using the same methods.

Note: Connection attempts made from within the VM that runs as the service account use the service account's identity.

What's next

Learn how to configure apps to use SSH.
Learn more about about how SSH connections work in Compute Engine, including SSH key configuration and storage.