Hero Background

Next-Gen App & Browser Testing Cloud

Trusted by 2 Mn+ QAs & Devs to accelerate their release cycles

Next-Gen App & Browser Testing Cloud

What is a service account, and how do I create it?

A service account is a non-human identity used by an application, virtual machine, script, or CI/CD pipeline to authenticate and act on its own, rather than on behalf of a human user. You create one from your platform's identity console, for example Google Cloud IAM, AWS IAM, Azure, or Kubernetes, by defining the account, granting it least-privilege roles, and issuing it short-lived credentials or a key.

Because service accounts run automated workloads without a person present, they are the backbone of secure automation, API access, and continuous testing. This guide explains what they are, how they differ from user accounts, and how to create one across the major platforms.

What Is a Service Account?

A service account is a special account created to provide a security context for software rather than a person. It has an identity, a set of permissions, and credentials, but no interactive login and no password to type. Applications use it to call APIs, read from databases, deploy resources, or run scheduled jobs in a predictable, auditable way. In security terms, service accounts are a category of non-human identity, and because they often hold broad, standing access, they represent a significant attack surface that needs rigorous governance.

Service Account vs User Account

  • Who it represents: a user account represents a human; a service account represents an application or workload.
  • Authentication: users sign in interactively with a password and MFA; service accounts authenticate non-interactively with keys, tokens, or managed credentials.
  • Lifecycle: user accounts follow HR onboarding and offboarding; service accounts are created, rotated, and decommissioned as part of application lifecycle.
  • Access pattern: users act during working hours; service accounts often need standing, always-on access, which is why least privilege matters more.

How to Create a Service Account in Google Cloud

Google Cloud is the most common context for this question. Using the Console:

  • Sign in to the Google Cloud Console and select the target project.
  • Open the navigation menu and go to IAM & Admin > Service accounts.
  • Click Create service account, then enter a descriptive name and ID such as ci-test-runner.
  • Grant only the roles the workload needs, following least privilege, then click Done.
  • If, and only if, the workload cannot use workload identity, create a JSON key from the Keys tab and store it in a secrets manager.

The same result can be scripted with the gcloud CLI, which is ideal for repeatable, version-controlled setup:

# Create the service account
gcloud iam service-accounts create ci-test-runner \
  --display-name="CI Test Runner"

# Grant a narrow, least-privilege role
gcloud projects add-iam-policy-binding MY_PROJECT_ID \
  --member="serviceAccount:ci-test-runner@MY_PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/storage.objectViewer"

# Create a key only if you truly need one
gcloud iam service-accounts keys create key.json \
  --iam-account=ci-test-runner@MY_PROJECT_ID.iam.gserviceaccount.com

Creating Service Accounts on Other Platforms

  • AWS: AWS has no object literally called a service account; use an IAM role assumed by the service (EC2, Lambda, ECS) so no long-lived keys exist. For humans-out automation, IAM roles with temporary credentials are the recommended pattern.
  • Azure: use a managed identity (system- or user-assigned) or an app registration with a service principal in Microsoft Entra ID.
  • Kubernetes: a ServiceAccount is a first-class API object; a workload references it to obtain a scoped, short-lived token for talking to the API server.
  • Windows Server / Active Directory: prefer group Managed Service Accounts (gMSAs), which rotate their own passwords automatically.
# Kubernetes example
kubectl create serviceaccount ci-test-runner --namespace default

Service Account Security Best Practices

  • Least privilege: grant only the exact permissions the task needs, never broad Owner or Editor roles.
  • Avoid long-lived keys: prefer workload identity, IAM roles, or managed identities that issue short-lived credentials.
  • Rotate and expire credentials: when a key is unavoidable, rotate it on a schedule and set an automatic expiry.
  • Store secrets safely: keep credentials in a secrets manager or protected CI variable, never in source control.
  • Audit and decommission: monitor usage, alert on anomalies, and delete accounts once their purpose is fulfilled.

Common Mistakes and Troubleshooting

  • Over-permissioning: assigning Owner "to make it work" is the most common and most dangerous mistake. Scope down and retry.
  • Committing keys to Git: a leaked JSON key is a full credential. Revoke it immediately and rotate if it happens.
  • Permission errors in CI: a 403 usually means a missing role binding, not bad credentials. Verify the exact role the API requires.
  • Reusing one account everywhere: a single shared account makes auditing impossible. Create one per workload.
  • Never rotating: stale keys accumulate risk. Automate rotation as part of the account lifecycle.

Conclusion

A service account is a non-human identity that lets applications and automation authenticate securely on their own. Create one from your platform's identity console or CLI, grant it least-privilege roles, and prefer short-lived credentials over long-lived keys. Rotate, audit, and decommission accounts as part of their lifecycle, and treat their credentials with the same care as any high-value secret. Done right, service accounts make secure, hands-off automation and continuous testing possible at scale.

Frequently Asked Questions

What is the difference between a service account and a user account?

A user account represents a human who signs in interactively, while a service account is a non-human identity used by an application, script, or VM to authenticate automatically. Service accounts have no interactive login and are governed by keys, tokens, or managed credentials.

How do I create a service account in Google Cloud?

In the Google Cloud Console, open IAM & Admin, select Service accounts, click Create service account, give it a name and description, grant the least-privilege roles it needs, and finish. Create a key only if the workload cannot use a more secure method such as workload identity.

Should I use service account keys?

Avoid long-lived JSON keys when possible. Prefer short-lived credentials, workload identity federation, IAM roles, or managed identities. If you must use a key, store it in a secrets manager, rotate it regularly, and set an expiry to limit exposure.

What permissions should a service account have?

Grant only the permissions strictly required for the task, following the principle of least privilege. Use narrow, purpose-built roles rather than broad ones like Editor or Owner, and add IAM conditions or permission boundaries to constrain the scope.

Can I use a service account for automated testing?

Yes. Service accounts are ideal for CI/CD pipelines and test automation because they authenticate non-interactively. Store their credentials as protected CI secrets and grant only the access the test run needs.

Related Questions

Test Your Website on 3000+ Browsers

Get 100 minutes of automation test minutes FREE!!

Test Now...

KaneAI - Testing Assistant

World’s first AI-Native E2E testing agent.

...

TestMu AI forEnterprise

Get access to solutions built on Enterprise
grade security, privacy, & compliance

  • Advanced access controls
  • Advanced data retention rules
  • Advanced Local Testing
  • Premium Support options
  • Early access to beta features
  • Private Slack Channel
  • Unlimited Manual Accessibility DevTools Tests