serviceAccount property

The email address of the service account for Cloud Workstations VMs created with this configuration.

When specified, be sure that the service account has logginglogEntries.create permission on the project so it can write logs out to Cloud Logging. If using a custom container image, the service account must have Artifact Registry Reader permission to pull the specified image. If you as the administrator want to be able to ssh into the underlying VM, you need to set this value to a service account for which you have the iam.serviceAccounts.actAs permission. Conversely, if you don't want anyone to be able to ssh into the underlying VM, use a service account where no one has that permission. If not set, VMs run with a service account provided by the Cloud Workstations service, and the image must be publicly accessible.

Optional.