This document describes the security guidelines and considerations for the
Application Integration product. If you are new to
Application Integration, we suggest that you start with
Application Integration overview.
Service accounts
A service account is a special kind of account used by an application, rather than a person.
A service account is identified by a unique email address. For more information, see
Service accounts.
Service accounts can be used to provide secure access to the Google Cloud resources without
sharing your own login credentials. This prevents unauthorized access to your resources.
The following are some of the best practices that you can follow when using a service account:
Create a separate service account for each task or application. This lets you better manage
access and keep track of which service accounts are being used for which tasks.
Grant the service account only the permissions that it needs to perform its intended tasks.
Monitor the usage of your service accounts and review the audit logs to ensure that
they are being used as intended. This can help you to detect any unauthorized access or
misuse of service accounts.
Custom roles let you create fine-grained permissions that are tailored to your specific
needs. For example, you may create a custom role that allows a service account to read
and write data to a Cloud Storage bucket, but not delete it.
Custom roles are useful in managing access to your Google Cloud resources and ensuring that
users and applications have only the permissions required to perform their intended tasks.
An authentication profile lets you configure and store the authentication details
for the connection in an integration. So, instead of using a hard-coded authentication
configuration, you can use the in-built authentication profile configuration which provides
enhanced security. Application Integration supports various
authentication types depending on the task. For more information, see
Compatibility
of authentication types with tasks.
To prevent unauthorized access and provide enhanced security, it's recommended
to use an authentication profile if a task supports it.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eApplication Integration uses service accounts, which are special accounts used by applications for secure access to Google Cloud resources, preventing unauthorized access.\u003c/p\u003e\n"],["\u003cp\u003eBest practices for using service accounts include creating separate accounts for each task, granting minimal permissions, and choosing more secure alternatives to service account keys whenever possible.\u003c/p\u003e\n"],["\u003cp\u003eCustom roles in Application Integration provide tailored permissions, allowing for fine-grained control over access to Google Cloud resources for users and service accounts.\u003c/p\u003e\n"],["\u003cp\u003eAuthentication profiles offer enhanced security by storing connection authentication details, which is recommended over hard-coded configurations, and varies across the tasks.\u003c/p\u003e\n"],["\u003cp\u003eValidation of service account keys is critical if they were acquired externally.\u003c/p\u003e\n"]]],[],null,["# Application Integration security guidelines\n\nSee the [supported connectors](/integration-connectors/docs/connector-reference-overview) for Application Integration.\n\nApplication Integration security guidelines\n===========================================\n\n\nThis document describes the security guidelines and considerations for the\nApplication Integration product. If you are new to\nApplication Integration, we suggest that you start with\n[Application Integration overview](/application-integration/docs/overview).\n\nService accounts\n----------------\n\nA service account is a special kind of account used by an application, rather than a person.\nA service account is identified by a unique email address. For more information, see\n[Service accounts](/iam/docs/service-accounts).\n\n\nService accounts can be used to provide secure access to the Google Cloud resources without\nsharing your own login credentials. This prevents unauthorized access to your resources.\n\nThe following are some of the best practices that you can follow when using a service account:\n\n- Create a separate service account for each task or application. This lets you better manage access and keep track of which service accounts are being used for which tasks.\n- Grant the service account only the permissions that it needs to perform its intended tasks.\n- Service account keys are a security risk if not managed correctly. You should [choose a more secure alternative to service account keys](/docs/authentication#auth-decision-tree) whenever possible. If you must authenticate with a service account key, you are responsible for the security of the private key and for other operations described by [Best practices for managing service account keys](/iam/docs/best-practices-for-managing-service-account-keys). If you are prevented from creating a service account key, service account key creation might be disabled for your organization. For more information, see [Managing secure-by-default organization resources](/resource-manager/docs/secure-by-default-organizations).\n\n\n If you acquired the service account key from an external source, you must validate it before use.\n For more information, see [Security requirements for externally sourced credentials](/docs/authentication/external/externally-sourced-credentials).\n- Monitor the usage of your service accounts and review the audit logs to ensure that they are being used as intended. This can help you to detect any unauthorized access or misuse of service accounts.\n\nFor more information, see [Best practices for working with service accounts](/iam/docs/best-practices-service-accounts).\n\nCustom roles\n------------\n\nCustom roles let you create fine-grained permissions that are tailored to your specific\nneeds. For example, you may create a custom role that allows a service account to read\nand write data to a Cloud Storage bucket, but not delete it.\nCustom roles are useful in managing access to your Google Cloud resources and ensuring that\nusers and applications have only the permissions required to perform their intended tasks.\n\n\nYou can create custom roles using the [Identity and Access Management (IAM)](/iam/docs)\nand assign the roles to users, groups, or service accounts. For more information,\nsee [Creating a custom role](/iam/docs/creating-custom-roles#creating_a_custom_role).\n\nAuthentication profiles\n-----------------------\n\nAn authentication profile lets you configure and store the authentication details\nfor the connection in an integration. So, instead of using a hard-coded authentication\nconfiguration, you can use the in-built authentication profile configuration which provides\nenhanced security. Application Integration supports various\nauthentication types depending on the task. For more information, see\n[Compatibility\nof authentication types with tasks](/application-integration/docs/configure-authentication-profiles#compatibleTasks).\n\nTo prevent unauthorized access and provide enhanced security, it's recommended\nto use an authentication profile if a task supports it."]]
