Service account under own domain

Question

I am working on a client project where I need a service account that can pull data from the clients Google Analytics setup to a GCP Bigquery DB. The issue is that the client won't allow access to users not under an owned domain (eg. something like @mydomain.com) When I create a service account I get something like the following:

analytics-service@project_id.iam.gserviceaccount.com

However the client requires that we have a service account similar to:

analytics-service@mydomain.com

While I can provision the email needed for this in our system, I’m not sure how to connect an existing email on a custom domain to a service account, because when creating a service account the domain seems to be locked to @project_id.iam.gserviceaccount.com.

Is it possible to create a service account using an existing email adresse for a custom domain?

Answer 1

The service account are technical identity linked to a project (that's why you have the project ID in it). You can't use your own domain for this. You can imagine to create account in the Google admin console, but it's user account and you will need to be authenticated to use them.

With service account, when you need to use them from outside GCP, you can download a service account key file that contain a secret (a private key) and which allows you to be authenticated.

So, the answer is NO (or even it's possible, it's not recommended, some feature aren't accessible from user account, only service account can). Your customer need to trust the cloud provider authentication mechanism.