Skip to content
Latchkey

gcloud iam service-accounts create: Usage & CI Errors

Create a service account for automation - then grant it least-privilege roles.

gcloud iam service-accounts create makes a new service account identity. Creation only mints the identity; you grant access separately with IAM policy bindings, and bind it to Workload Identity for keyless CI.

What it does

The command creates a service account with a generated email (NAME@PROJECT.iam.gserviceaccount.com). It has no permissions until you add role bindings with gcloud projects add-iam-policy-binding. For CI, prefer binding it to a Workload Identity pool over creating a downloadable key.

Common usage

Terminal
# Create a service account
gcloud iam service-accounts create ci-deployer \
  --display-name="CI Deployer"

# Grant it a role on the project (least privilege)
gcloud projects add-iam-policy-binding my-project \
  --member="serviceAccount:ci-deployer@my-project.iam.gserviceaccount.com" \
  --role="roles/run.admin"

Common error in CI: account has no permissions / iam.disableServiceAccountKeyCreation

A freshly created service account fails everything with "PERMISSION_DENIED" because creation grants no roles, and key creation may be blocked by the org policy "iam.disableServiceAccountKeyCreation". Fix: add explicit role bindings with add-iam-policy-binding for exactly what CI needs; do not over-grant Owner/Editor. Instead of a JSON key, configure Workload Identity Federation (google-github-actions/auth) so CI impersonates the account keylessly - which also sidesteps the key-creation org policy.

Key options

Command / optionPurpose
ACCOUNT_IDRequired short name (becomes the email)
--display-nameHuman-readable name
add-iam-policy-bindingGrant a role (separate command)
--member serviceAccount:...The principal to bind
--role roles/...The role to grant

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →