gcloud iam service-accounts is the GCP command group for managing service accounts: create, list, delete, and modify IAM bindings.
gcloud iam service-accounts create SERVICE_ACCOUNT_NAME --description="DESCRIPTION" --display-name="DISPLAY_NAME"The following commands and flags are taken from official Google Cloud documentation. All examples use the current gcloud CLI syntax, and every command supports gcloud-wide flags such as --project, --account, and --quiet.
Syntax
gcloud iam service-accounts create SERVICE_ACCOUNT_NAME
--description="DESCRIPTION"
--display-name="DISPLAY_NAME"
gcloud iam service-accounts add-iam-policy-binding
SERVICE_ACCOUNT_EMAIL
--member=user:USER_EMAIL
--role=ROLE_NAME
gcloud projects add-iam-policy-binding PROJECT_ID
--member="serviceAccount:SERVICE_ACCOUNT_EMAIL"
--role=ROLE_NAME
gcloud iam service-accounts list
gcloud iam service-accounts delete SERVICE_ACCOUNT_EMAIL
Flags
--description(string): Optional description for the service account. Maximum 256 characters.--display-name(string): Human-readable display name. If omitted, defaults to the service account name.--member(string): Principal to grant or revoke (e.g.,user:email,serviceAccount:email). Required for bindings.--role(string): IAM role identifier (e.g.,roles/iam.serviceAccountUser,roles/storage.objectAdmin). Required for bindings.
Usage Examples
1. Create a Service Account
gcloud iam service-accounts create ci-runner
--description="Service account for CI/CD pipeline"
--display-name="CI Runner SA"Creates the service account under the current project. The resulting email is ci-runner@PROJECT_ID.iam.gserviceaccount.com.
2. Grant a User Permission to Impersonate the Service Account
gcloud iam service-accounts add-iam-policy-binding
ci-runner@my-project.iam.gserviceaccount.com
--member="user:alice@example.com"
--role="roles/iam.serviceAccountUser"Grants Alice the Service Account User role, allowing her to use the service account.
3. Grant the Service Account a Project-Level IAM Role
gcloud projects add-iam-policy-binding my-project-id
--member="serviceAccount:ci-runner@my-project.iam.gserviceaccount.com"
--role="roles/storage.objectAdmin"Assigns the Storage Object Admin role to the service account at the project level.
Frequently Asked Questions
What is the –description flag used for?
It sets an optional description for the service account, useful for auditing and organization. The description can be up to 256 characters.
How do I grant a user the ability to use a service account?
Use gcloud iam service-accounts add-iam-policy-binding with --member="user:EMAIL" and --role="roles/iam.serviceAccountUser". This allows the user to impersonate the service account.
Why do I get an error that the service account does not exist when binding?
Ensure the service account email is correct and that it exists in the current project. Verify with gcloud iam service-accounts list. The email must follow the pattern sa-name@PROJECT_ID.iam.gserviceaccount.com.
Can I create a service account with only a display name and no description?
Yes. The --description flag is optional. If --display-name is omitted, it defaults to the service account name.
How do I list all service accounts in a project?
Run gcloud iam service-accounts list. Output includes the email, display name, and unique ID for each service account.
Command Line Expert & Software Engineer
Welcome! I’m Thomas Heinrich, a software engineer and system administrator with a deep passion for the Command Line Interface (CLI). With years of experience navigating the terminal, building backend architectures, and automating server deployments, I created this space to share practical, real-world terminal knowledge.
Whether you are a beginner taking your first steps in a Linux environment or a seasoned DevOps engineer looking to optimize your deployment scripts, you will find actionable solutions here. My goal is to help you ditch the mouse, speed up your workflow, and harness the full power of the command line.