What does it mean to create a service identity in GCP?

This is a very short article to briefly discuss a poorly documented beta feature in GCP. The ability to create a service identity for an API.

Creating a service identity, is the process of creating a service account, with a predefined email address for a specific API or service. This service account is used by Google or third parties to provide the credentials needed for the services that are provided by Google.

For example, if you create a service identity for containerscanning.googleapis.com:

$ gcloud beta services identity create service containerscanning.googleapis.com
Service identity created: service-1234567890@gcp-sa containerscanning.iam.gserviceaccount.com

The service account service-1234567890@gcp-sa-containerscanning.iam.gserviceaccount.com is created with the role “Container Scanner Service Agent” assigned to it.

Note that you don’t necessarily need to create the service identity, for the service account to be created. When you enable a service using “gcloud service enable <API_NAME>” the SA eventually gets created on first use.