Before IAM, the issue I had with service accounts is that I forgot to give the account Edit permissions. It seems the new way is like how @i_have_to_speak mentioned to use service account for an instance, which can only be done during creation of the instance, if you don't want to distribute keys. Then the newest way, that's still in beta, is to use IAM roles to further restrict the access scopes of that instance service account.