gcloud iam service-accounts create: Usage & CI Errors
Create a service account for automation - then grant it least-privilege roles.
gcloud iam service-accounts create makes a new service account identity. Creation only mints the identity; you grant access separately with IAM policy bindings, and bind it to Workload Identity for keyless CI.
What it does
The command creates a service account with a generated email (NAME@PROJECT.iam.gserviceaccount.com). It has no permissions until you add role bindings with gcloud projects add-iam-policy-binding. For CI, prefer binding it to a Workload Identity pool over creating a downloadable key.
Common usage
# Create a service account
gcloud iam service-accounts create ci-deployer \
--display-name="CI Deployer"
# Grant it a role on the project (least privilege)
gcloud projects add-iam-policy-binding my-project \
--member="serviceAccount:ci-deployer@my-project.iam.gserviceaccount.com" \
--role="roles/run.admin"Common error in CI: account has no permissions / iam.disableServiceAccountKeyCreation
A freshly created service account fails everything with "PERMISSION_DENIED" because creation grants no roles, and key creation may be blocked by the org policy "iam.disableServiceAccountKeyCreation". Fix: add explicit role bindings with add-iam-policy-binding for exactly what CI needs; do not over-grant Owner/Editor. Instead of a JSON key, configure Workload Identity Federation (google-github-actions/auth) so CI impersonates the account keylessly - which also sidesteps the key-creation org policy.
Key options
| Command / option | Purpose |
|---|---|
| ACCOUNT_ID | Required short name (becomes the email) |
| --display-name | Human-readable name |
| add-iam-policy-binding | Grant a role (separate command) |
| --member serviceAccount:... | The principal to bind |
| --role roles/... | The role to grant |