— GCP — 1 min read
A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as Google Workspace or Cloud Identity users through domain-wide delegation.
A service account is identified by its email address, which is unique to the account.
Google-managed key pairs imply that Google stores both the public and private portion of the key, rotates them regularly (each key can be used for signing a maximum of two weeks), and the private key is always held in escrow and is never directly accessible. IAM provides APIs to use these keys to sign on behalf of the service account.
<<home-project-name>>@<<project-id>>.iam.gserviceaccount.com
Repeat the above process for other products
Later you can remove all the excess permissions when you want to restrict.