[i_have_to_speak]

Rather than IAM, you can as well just associate the service account with the VM, in which case you don't have to copy around the json file with the private key. Any gcloud calls from the VM will not need explicit authorization.

[tpryan]

I had some issues with the service account approach. (Might have been me being dumb.) I'll give that a shot.

[rob-olmos]

Before IAM, the issue I had with service accounts is that I forgot to give the account Edit permissions. It seems the new way is like how @i_have_to_speak mentioned to use service account for an instance, which can only be done during creation of the instance, if you don't want to distribute keys. Then the newest way, that's still in beta, is to use IAM roles to further restrict the access scopes of that instance service account.