Register a service account in Workbench

Register a service account in Workbench
Tags:
Categories:

Introduction

When building any automation in Verily Workbench, it is best practice to use service accounts rather than private credentials as an individual. Read on for step-by-step instructions to register a service account to use in Workbench.

When to use a service account in Workbench

Using an external service account with Workbench may be desired in cases where automation outside of a cloud enviroment is preferable. For example, one could add a registered service account as a reader to a workspace in order to automate reading resources in a Cloud Function. Or one could automate management of Workbench groups by having a registered service account call the Workbench CLI.

Note on external access management

If you are looking to access your own private external-to-Workbench GCP resources from within Workbench (i.e., get data from an external Google bucket, run ML VMs in a notebook, etc.), use a Workbench-managed group instead of a service account. To learn more, see “How to create and manage Workbench groups”.

Step 1: Create a service account

Follow the step-by-step instructions in the Google Cloud support doc to set up your service account.

Step 2: Have the Workbench team invite the service account

Please contact workbench-support@verily.com, or your primary Workbench contact to have the service account invited to Workbench.

Step 3: Register a service account

Once the service account has been invited, an additional step is needed to complete registration.

From a terminal in which you have gcloud installed and have authenticated with your user account, run the following command to make the API request to complete registration. You will need roles/iam.serviceAccountTokenCreator on the service account.

SERVICE_ACCOUNT_EMAIL='' # Include the actual service account email here
TOKEN="$(gcloud auth print-access-token --impersonate-service-account=${SERVICE_ACCOUNT_EMAIL})"
curl -X POST -H "Authorization: Bearer ${TOKEN}" -H "Content-Type: application/json" https://terra-sam.api.verily.com/register/user/v2/self

The service account is now registered with Workbench! You are now able to share workspaces with this address or use it to call APIs in Workbench.

Last Modified: 16 November 2023