Some service providers use a service account to provide additional functionality to their software. They can provide access to a page that explains the Identity and Access Management (IAM) roles the service account requires and that you use to grant the roles to the service accounts. You can revoke the access at any time.
If you cancel your purchase, you must manually revoke the access and remove any resources created for the service account.
Before you begin
You must have the Owner (
roles/owner
) role, ORYou must have the
resourcemanager.projects.getIamPolicy
ANDresourcemanager.projects.setIamPolicy
permissions.Verify with your Organization Admin that you can grant IAM roles to service accounts across projects or organizations. For more information around restrictions that might be applied to your organization, see Restricting identities by domain or Disable attachment of service accounts to resources in other projects.
Granting access to a service account
This grants the roles listed on the page to service account for all the projects listed on the page.
Open the link provided by your service provider. It's usually on the app's management console.
Review the roles your provider wants the service account to have.
To choose a project, click Select Project. If the app is included in multiple projects that you have access to, you can select all those projects. If a project is greyed out, you don't have sufficient privileges to grant the service account access to it.
If you don't want to grant the service account access, click Remove to delete it from the list.
Click Grant.
The listed roles are granted to service account for all the projects listed on the Project with granted access section.
Remove access to your app
You can revoke a service account's access to the app at any time.
Open the link provided by your service providers. It's usually on the app's management console.
Click Select Project, and then select the project you don't want the service account to access anymore. If a project is greyed out, you don't have sufficient privileges to grant the service account access to it.
In the Project with granted access list, click Remove Access next to the service account that you no longer want to be able to access your project.
You can grant access to the service account after the access has been revoked.
If you are permanently removing access to your app, view your service provider's documentation to ensure you remove any resources created for the service account.
Remove access to your app manually
If you want to revoke a service account's access manually, or have cancelled your purchase, use the IAM page in the console.
View the IAM documentation on Granting, changing, and revoking access for users for more information.
If you are permanently removing access to your app, view your service provider's documentation to ensure you remove any resources created for the service account.
Verifying service account roles
To verify the access granted or removed from a service account, open the IAM page in the console and find the service account. Ensure that the listed roles match the roles granted to the service account.