Register a service account

Instructions for registering a service account to run automated processes
Tags:
Categories:

Purpose: This document explains how to create and register a service account in Verily Workbench.

Introduction

When building any automation in Workbench, it is best practice to use service accounts rather than private credentials as an individual. Read on for step-by-step instructions to register a service account to use in Workbench.

When to use a service account in Workbench

You may want to use an external service account with Workbench in cases where automation outside of a cloud app is preferable. For example, you could add a registered service account as a READER to a workspace in order to automate reading resources in a Cloud Function. You could also automate management of Workbench groups by having a registered service account call the Workbench CLI.

Note on external access management

If you are looking to access your own private external-to-Workbench GCP resources from within Workbench (i.e., get data from an external Google bucket, run ML VMs in a notebook, etc.), use a Workbench-managed group instead of a service account. To learn more, see How to create and manage Verily Workbench groups.

Step-by-step instructions

1. Create a service account

Follow the step-by-step instructions in the Google Cloud support doc to set up your service account.

2. Have the Workbench team invite the service account

Please contact workbench-support@verily.com or your primary Workbench contact to have the service account invited to Workbench.

3. Register the service account

Once the service account has been invited, an additional step is needed to complete registration.

From a terminal in which you have gcloud installed and have authenticated with your user account, run the following command to make the API request to complete registration. You will need roles/iam.serviceAccountTokenCreator on the service account.

SERVICE_ACCOUNT_EMAIL='' # Include the actual service account email here
TOKEN="$(gcloud auth print-access-token --impersonate-service-account=${SERVICE_ACCOUNT_EMAIL})"
curl -X POST -H "Authorization: Bearer ${TOKEN}" -H "Content-Type: application/json" https://terra-sam.api.verily.com/register/user/v2/self

The service account is now registered with Workbench! You are now able to share workspaces with this address or use it to call APIs in Workbench.

Last Modified: 16 July 2024