Service accounts are needed for scenarios where a workload, such as a custom application, needs to access Google Cloud resources or perform actions.

After your VM is configured to use the service account, applications can then use the service account to authenticate.

The most common method is to authenticate by using Application Default Credentials and a client library. Some Google Cloud tools such as the gcloud CLI are able to automatically use the service account to access Google Cloud APIs from a VM.