Create provisioning service account and generate access key

Create a service account and generate a JSON access key.

Before you begin

Review the Service account for the CDP provisioning credential to learn what IAM permissions and IAM roles you need to assign to the service account that you will create.


  1. Log in to your Google Cloud account.

  2. Navigate to the project used for CDP.

  3. Navigate to the IAM & Admin.
  4. To create a custom role:
    1. Navigate to the Roles page.
    2. Click +Create Role.
    3. Specify a Title.
    4. Specify an ID.
    5. Click +Add Permissions.
    6. Add the required granular permission(s) as shown in the following screenshots:
    7. Use the same steps to add all the required permissions.
    8. Click Create.
  5. To create a service account:
    1. Navigate to the Service accounts page.
    2. Click Create service account.
    3. Enter a service account name.
    4. Click Create.
    5. Under Grant this service account access to project, choose the IAM roles to grant to the service account on the project. You need to assign all of the roles listed in the table.
    6. When you are done adding all the required roles, click Done to finish creating the service account.
  6. To generate an access key:
    1. Once your account has been created, find the row of the service account that you want to create a key for. In that row, click the (context menu) button, and then click Create key.
    2. Under Key type, select JSON and click Create.
    3. Clicking Create downloads the service account key file. You will use the JSON access key to register the service account as a credential in CDP.

Post-requisite step

Additionally, once you create the Logger and IDBroker service accounts, you need to update each of these two service accounts to grant the provisioning service account the Service Account User (iam.serviceAccountUser) role. The instructions are provided as part of Minimum setup for cloud storage.